Event ID 36928/Reason for error: REASON_OCSP_RESPONSE_RETRIEVAL_ERROR every 10 hours

SK_0512 0 Reputation points
2023-09-11T05:46:21.0933333+00:00
I have always found this information helpful.
I have added AD CS functionality to Windows Server 2022 and now I get the following events every 10 hours.


=====
Attached data contains a certificate." Error,2023/08/24 0:03:55,Schannel,36928,None, "Could not obtain OCSP response.
Reason for error: REASON_OCSP_RESPONSE_RETRIEVAL_ERROR OCSP URL:.
The previous OCSP response contained the following times: ThisUpdate: 1601-01-01   
   ThisUpdate: 1601-01-01T00:00:00.000000000Z    
   NextUpdate: 1601-01-01T00:00:00.000000000Z
=====


The OCSP function is not used.
Is it OK to ignore this event?

I searched for information on the web and thought the following URL information was similar, but there did not seem to be a clear answer.
We would appreciate it if you could provide us with some information on how to deal with this problem.


https://learn.microsoft.com/en-us/answers/questions/1166523/could-not-retrieve-an-ocsp-response


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,800 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,916 Reputation points
    2023-09-11T14:45:19.8033333+00:00

    Hello there,

    Check the configuration of CA. The notes state you have one 2022 CA so you have a root that is also acting as the policy and issuance CA as well. Remote to the CA itself, open Certificate Authorities console under Windows Administrative Tools. Right click the CA and select Properties. Click the Extensions tab. In the selections box choose Authority Information Access (AIA). This is where the validation of the CA is defined. What is located there is encoded on all certificates issued from the CA. If you find LDAP entries and/or OCSP entries then the problem is you are encoding certs with that validation information but the validation end points don't exist. LDAP validation is the old way and is listed for support of 2003 and older OS. The URLs listed on this tab should exist or not be listed. They are populated when the CA was initially configured. You should have at least one location (local drive) and one CDP location (AIA entry) at minimum. Remove the LDAP and OCSP locations which don't exist.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments