This section lists a few common issues you may encounter when using the Online Responder snap-in or working with Online Responder Arrays. For more information about troubleshooting and resolving problems with Online Responders, see Active Directory Certificate Services Troubleshooting (http://go.microsoft.com/fwlink/?LinkId=89215).
What problem are you having?
- The Online Responder
service did not start
- The Online Responder's
signing certificate could not be located
- An attempt to create a
revocation configuration failed
- The signing certificate for
the Online Responder configuration will expire soon
- The signing certificate for
the revocation configuration has expired
- An Online Responder
revocation configuration cannot be loaded
- The Online Responder
service could not retrieve a CRL for the specified revocation
configuration
The Online Responder service did not start.
- Cause: The Online Responder service
can fail to start because of corrupted registry information or
insufficient system resources.
- Solution: Try to restart the Online
Responder service from the Services snap-in (Services.msc). If the
Online Responder service fails to start, check the event log for
other errors that may be related to this failure. If not enough
system resources are available to start the Online Responder
service, try to restart the computer or free system resources. If
the registry information is corrupted, you must use Server Manager
to uninstall and reinstall the Online Responder service.
The Online Responder's signing certificate could not be located.
- Cause: The OCSP Response Signing
certificate is not present in either the Personal certificate store
for the computer account or, if the signing certificate should have
been issued by using autoenrollment, autoenrollment was not
completed.
- Solution: If an OCSP Response Signing
certificate is not present in the Personal certificate store for
the local computer, and the revocation is configured for manual
OCSP Response Signing certificate enrollment or auto-discovery, you
should enroll for a certificate manually. For configurations in
which the Online Responder service enrolls for its certificate,
manual enrollment will not work and you need to identify the reason
that autoenrollment did not work. Possible reasons include:
- The computer on which the Online Responder
service is running cannot connect to a certification authority (CA)
that has been configured to issue certificates based on the OCSP
Response Signing template.
- The Online Responder does not have Read,
Enroll, and, if autoenrollment is being used, Autoenroll
permissions on the OCSP Response Signing template.
- The computer on which the Online Responder
service is running cannot connect to a certification authority (CA)
that has been configured to issue certificates based on the OCSP
Response Signing template.
An attempt to create a revocation configuration failed.
- Cause: An attempt to create a
revocation configuration failed with the message "Bad signing
certificate on Array Controller."
- Solution: Verify that the OCSP
Response Signing certificate template has been correctly
configured. Otherwise, configure the certificate template to allow
manual enrollment for these signing certificates.
The signing certificate for the Online Responder configuration will expire soon.
- Cause: When autoenrollment is not
being used, a reminder to renew an expiring certificate is
generated automatically when a certificate has a configured
percentage of its lifetime left (by default, this is 10 percent of
its total validity period). You can check the time remaining on the
current signing certificate by using the Certificates snap-in to
examine the OCSP Response Signing certificate in the Personal
certificate store of the computer or the Online Responder
service.
- Solution: If the OCSP Response Signing
certificate template has been configured for automatic enrollment
and renewal, further action may not be needed. For manual
configurations, you can renew the signing certificate by using the
Certificates snap-in and the Certificate Renewal Wizard.
The signing certificate for the revocation configuration has expired.
- Cause: Automatic renewal of the
signing certificate failed, or manual certificate renewal was not
completed before the expiration date.
- Solution: For configurations in which
the Online Responder service enrolls for its certificate, manual
enrollment will not work and you need to identify the reason that
autoenrollment did not work. Possible reasons include:
- The computer on which the Online Responder
service is running cannot connect to a CA that has been configured
to issue certificates based on the OCSP Response Signing
template.
- The Online Responder does not have Read,
Enroll, and Autoenroll permissions on the OCSP Response Signing
template.
If the revocation configuration is set up for manual enrollment of the OCSP Response Signing certificate, locate the signing certificate within the Online Responder computer's local computer Personal certificate store.
For manual configurations, you can renew the signing certificate by using the Certificates snap-in and the Certificate Renewal Wizard.
It is also possible that the OCSP Response Signing certificate could not be renewed because the CA key that was used to sign the original OCSP Response Signing certificate has been renewed and is no longer available. To overcome this problem, you must allow the OCSP Response Signing certificate to be renewed with an existing key. For more information, see Renew OCSP Response Signing Certificates with an Existing Key.
- The computer on which the Online Responder
service is running cannot connect to a CA that has been configured
to issue certificates based on the OCSP Response Signing
template.
An Online Responder revocation configuration cannot be loaded.
- Cause: The revocation configuration
has become corrupted.
- Solution: Use the Online Responder
snap-in to delete and re-create the revocation configuration. If
this problem occurred on an Array member, you can delete the
corrupted configuration from the Array member and then synchronize
the Array to re-create the revocation configuration. If you are
encountering this problem on an Array controller, temporarily set
another computer as the Array controller, synchronize the Array,
and then reset the original computer to be the Array
controller.
The Online Responder service could not retrieve a CRL for the specified revocation configuration.
- Cause: Certificate revocation list
(CRL) publication failed, CRL distribution points are invalid, or
the Online Responder service could not access the published
CRL.
- Solution: To identify and address CRL
retrieval problems for an Online Responder:
- Use the Online Responder snap-in to verify that the URLs
configured for base and delta CRL distribution points are
valid.
- Use the Certification Authority snap-in to verify the URLs to
which the CA will publish base and delta CRLs.
- On the computer to which the base CRL is published, examine the
Freshest CRL extension for the base CRL. Verify that this
identifies a location where the delta CRL can be found.
- Republish the current CRL, if necessary, by typing the
following command at a command prompt:
certutil -crl
- Then, verify that Online Responder service can access the CRL.
From the Online Responder snap-in, right-click Array
Configuration, and click Refresh Revocation Data.
- Use the Online Responder snap-in to verify that the URLs
configured for base and delta CRL distribution points are
valid.