OCSP Location 1#

Question

Issue:

Service and problem has no problem:

Now we had some changes in the exchange certificates/OCSP certificate

The documentation has the following solution, but I have a question:

The cmd (replace exchange cert)

certutil –cainfo xchg

1. Is this all you need to do? It comes with the begin and end certificate as output. Do you have to save that info as a certificate or does the command replace the certificate and that's it?
2. Some articles say you need to do something with the OCSP template and place a OCSP certificate in the personal (local computer) certificate store on the subca2. But how do you bind that certificate? And do you have to do this?

Answer 1

Hello there,

Yes this command will replace the certificate.

PKIView.msc relies on CA Exchange certificate information to retrieve CDP/AIA URLs for leaf CAs and then to build the hierarchy in the console. If you made changes, you have to revoke CA Exchange certificate, so next time you run pkiview.msc a new CA Exchange certificate will be generated with updated URLs.

Similar discussion here https://learn.microsoft.com/en-us/answers/questions/216597/pkiview-shows-ocsp-error-on-location-1

You can also refer this article https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx#Install_and_Configure_the_Online_Responder_Role_Service

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--