Share via

Cannot get OCSP working even though all certs are fine

Matt Axton 5 Reputation points
2025-11-19T13:50:38.03+00:00

Hi,

I am creating an internal PKI service. I have got an offline RootCA and 2 standalone SubCa's.

These are operational and signing certificates. I have created ocsp certs with No Rev Check & OCSP Signing OIDs added.

The online responder is up and green certifcate-wise.

When I try and browse to http://<host>/ocsp I get a server error 500 response.

When looking at PKIVIEW the ocsp reports failed to download, also, when using certuril -url <cert>.cer (signed by SubCA) it reports as failed.

No firewalls are enabled, I can browse to the CRL files, the OCSP is online.

Any ideas gratefully received.

Thanks

Matt

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kate Pham (WICLOUD CORPORATION) 430 Reputation points Microsoft External Staff Moderator
    2025-11-20T06:09:56.2366667+00:00

    Hi Matt,

    Thank you for sharing your concerns in detail.

    Please help refer to bellow workarounds to address the issue:

    1. On OCSP server, try reset the OCSP service:

    User's image

    Then, restart IIS service also with command below (on elevated cmd.exe):  

    iisreset   

    If the problem persists, try checking in event log for Application, System and Applications and Services Logs → Microsoft → Windows → CAPI2 to see if we have any error related to the issue.

    1. Please help check and capture the PKIview result include the OCSP status.
    2. On OCSP server, open Online Responder Management and verify whether the certificate and service are reported as OK.

    User's image

    User's image

    For OCSP to work properly, the configuration status must be OK.

    If there are issues, the error message will be displayed here.

    Feel free to let me know if you need any further assistance!

    Thanks and Regards!

     

     

    1 person found this answer helpful.
    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Matt Axton 5 Reputation points
    2025-11-24T14:20:33.87+00:00

    Hi,

    I have restarted the OCSP & IIS services, both start fine.

    The OCSP responder reports signing certificate as OK

    The last log was OnlineResponder service started successfully

    Cheers

    Matt

    0 comments
  4. Matt Axton 5 Reputation points
    2025-12-01T16:46:23.64+00:00

    I cannot see that my certificate hasn't got the OCSP No Revocation Checking element in the cert.

    I followed the MS article but the OID (or whatever it is) is not added to the cert.

    Any ideas ?

    Thanks

    Matt

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.