This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 88%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
We have 1 MS 2022 CA server, and have noticed on our DC`s the following error message
EventID 36928
Source Schannel
Could not retrieve an OCSP response.
The Failure Reason is: REASON_OCSP_RESPONSE_RETRIEVAL_ERROR
The OCSP Url is:
The previous OCSP response contained the following times:
ThisUpdate: 1601-01-01T00:00:00.000000000Z
NextUpdate: 1601-01-01T00:00:00.000000000Z
The attached data contains the certificate.
We don't have a OCSP installed, so why does this error message ? And as I understand we do not need any OCSP either. We only publish internal machine certificates so the machines can connect to the Wifi.
Please advice.
Thanks for any reply
/R
Andy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 89%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
I am having the same issue with Windows Server 2022. However, this started to happen after I installed the CA. All the settings are default. I have not modified any settings. In the past, I never had this issue with just defaulted settings. What do I need to do to resolve this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 33%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
I was using an OCSP responder and got this error on a newly built DC running Server 2022.
Any other server or workstation on the domain I tested could validate certs fine against the OCSP server.
To replicate the error export a cert. Can be any cert as long as it is issued from your CA.
Run this certutil test. In this case I call my exported cert dc.cer.
certutil -f –urlfetch -verify .\dc.cer | sls "OCSP"
The OCSP call will fail from the server generating these event log entries but the same command will work from another host.
I can't say I worked out why this happens but I got around it by restarting the OCSP server. Then running the same command on the new DC worked
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 5%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi All
Did anyone come up with a solution for this? I have just expereinced the same issue after upgrading one of our DCs from Server 2019 to Server 2022. We are running an Enterprise CA for internal purposes only and was of the understanding OCSP is to check public based certificates.
Prior to the upgrade we ran a full DCDIAG across our estate (all DCs on Server 2019) and had Zero issues. Now when running a DCDIAG on the upgraded DC the exact same issue is occurring as Andreas initially reported.
Has anyone tried adding the OCSP Responder to their CA and if so did this fix it? Although I dont understand as under the CA Extensions Tab you add a public address which wouldnt address any self signed certificates?
We removed any ldap entries from the CA Extensions Tab, we had no OCSP entries and the warnings remained so reinstated the ldap addresses.
Thanks in advance!