Could not retrieve an OCSP response.

Question

Hi,

We have 1 MS 2022 CA server, and have noticed on our DC`s the following error message

EventID 36928

Source Schannel

Could not retrieve an OCSP response.

   The Failure Reason is: REASON_OCSP_RESPONSE_RETRIEVAL_ERROR
    The OCSP Url is: 
   The previous OCSP response contained the following times:
      ThisUpdate: ‎1601‎-‎01‎-‎01T00:00:00.000000000Z
      NextUpdate: ‎1601‎-‎01‎-‎01T00:00:00.000000000Z

The attached data contains the certificate.

We don't have a OCSP installed, so why does this error message ? And as I understand we do not need any OCSP either. We only publish internal machine certificates so the machines can connect to the Wifi.

Please advice.

Thanks for any reply

/R

Andy

Answer 1

I am having the same issue with Windows Server 2022. However, this started to happen after I installed the CA. All the settings are default. I have not modified any settings. In the past, I never had this issue with just defaulted settings. What do I need to do to resolve this?

Answer 2

I was using an OCSP responder and got this error on a newly built DC running Server 2022.

Any other server or workstation on the domain I tested could validate certs fine against the OCSP server.

To replicate the error export a cert. Can be any cert as long as it is issued from your CA.

Run this certutil test. In this case I call my exported cert dc.cer.

certutil -f –urlfetch -verify .\dc.cer | sls "OCSP"

The OCSP call will fail from the server generating these event log entries but the same command will work from another host.

I can't say I worked out why this happens but I got around it by restarting the OCSP server. Then running the same command on the new DC worked