Could not retrieve an OCSP response.

Question

Hi,

We have 1 MS 2022 CA server, and have noticed on our DC`s the following error message

EventID 36928

Source Schannel

Could not retrieve an OCSP response.

   The Failure Reason is: REASON_OCSP_RESPONSE_RETRIEVAL_ERROR
    The OCSP Url is: 
   The previous OCSP response contained the following times:
      ThisUpdate: ‎1601‎-‎01‎-‎01T00:00:00.000000000Z
      NextUpdate: ‎1601‎-‎01‎-‎01T00:00:00.000000000Z

The attached data contains the certificate.

We don't have a OCSP installed, so why does this error message ? And as I understand we do not need any OCSP either. We only publish internal machine certificates so the machines can connect to the Wifi.

Please advice.

Thanks for any reply

/R

Andy

Answer 1

Hi,

Thanks for reply, but this is just telling me generally about issues related to OSCP, please be more specific to my question since I am not following you.

1. We don't have a OCSP installed, so why does this error message ? And as I understand we do not need any OCSP either.

/R

Andy

Answer 2

Check the configuration of CA. The notes state you have one 2022 CA so you have a root that is also acting as the policy and issuance CA as well. Remote to the CA itself, open Certificate Authorities console under Windows Administrative Tools. Right click the CA and select Properties. Click the Extensions tab. In the selections box choose Authority Information Access (AIA). This is where the validation of the CA is defined. What is located there is encoded on all certificates issued from the CA. If you find LDAP entries and/or OCSP entries then the problem is you are encoding certs with that validation information but the validation end points don't exist. LDAP validation is the old way and is listed for support of 2003 and older OS. The URLs listed on this tab should exist or not be listed. They are populated when the CA was initially configured. You should have at least one location (local drive) and one CDP location (AIA entry) at minimum. Remove the LDAP and OCSP locations which don't exist.

Answer 3

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

Generally, an OCSP response cannot be retrieved when:

The certificate issuer is not responding to OCSP requests. This could be because the OCSP responder is either down or not configured properly to accept requests.

The issuing certificate authority (CA) has revoked the certificate and the revocation is not yet propagated.

The OCSP responder is not responding to the requests due to a network or server error.

The certificate is self-signed, meaning that it is not signed by a trusted CA and therefore not verifiable.

The issuing CA has not configured the OCSP responder correctly, or has not made the OCSP service available.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 4

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

Generally, an OCSP response cannot be retrieved when:

The certificate issuer is not responding to OCSP requests. This could be because the OCSP responder is either down or not configured properly to accept requests.

The issuing certificate authority (CA) has revoked the certificate and the revocation is not yet propagated.

The OCSP responder is not responding to the requests due to a network or server error.

The certificate is self-signed, meaning that it is not signed by a trusted CA and therefore not verifiable.

The issuing CA has not configured the OCSP responder correctly, or has not made the OCSP service available.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 5

I got the same issue on my secondary DC with Windows 2022 Std. I have a CA deployed but I do not have a configuration revocation on my Online Responder.

Any suggestions?

Thanks!