What does certutil downloadocsp error "Error => Pending OCSP response download" mean?

List Box at name 1 Reputation point
2021-07-05T22:42:15.233+00:00

I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command

certutil -downloadocsp .\certs\ .\ocsp_responses\ downloadonce

A single p7b certificate is in the certs directory. I read the log of my OCSP responder in real-time, and I can see that
the connection is made. And the output from certutill looks like it downloads the responce. But certutil reports an
error, and no ocsp responce is saved in .\ocsp_responses\
The output from certutil is:

====  Downloaded OCSP Responses  ====
7/5/2021 2:56 PM 44.368s :: Error => Pending OCSP response download -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>

Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2

CertUtil: -downloadOcsp command completed successfully.

I get the same behavior on Windows 10 Pro, and Windows Server 2019. The OCSP responder is openssl 1.1.1f

What might the problem be, and How can I correct it?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 18,956 Reputation points Microsoft Vendor
    2021-07-06T03:02:22.007+00:00

    Hello @List Box at name ,

    Thank you for posting here.

    To better understand your question, please confirm the following information at your convenience:

    1.Based on the description above, you configured the OCSP responder through openssl 1.1.1f instead of on one Windows CA server, is it right?

    2.Where did you run the command above (on one Windows server or Windows client)?

    3.Does ocsp responce is a file? If so, why did not you copy the file to all these Windows machines manually?

    I cannot see such command (certutil with parameter -downloadocsp) based on the certutil command usage.
    certutil
    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.