What does certutil downloadocsp error "Error => Pending OCSP response download" mean?

Question

What does certutil downloadocsp error "Error => Pending OCSP response download" mean?

I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command

certutil -downloadocsp .\certs\ .\ocsp_responses\ downloadonce

A single p7b certificate is in the certs directory. I read the log of my OCSP responder in real-time, and I can see that
the connection is made. And the output from certutill looks like it downloads the responce. But certutil reports an
error, and no ocsp responce is saved in .\ocsp_responses\
The output from certutil is:

====  Downloaded OCSP Responses  ====
7/5/2021 2:56 PM 44.368s :: Error => Pending OCSP response download -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>

Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2

CertUtil: -downloadOcsp command completed successfully.

I get the same behavior on Windows 10 Pro, and Windows Server 2019. The OCSP responder is openssl 1.1.1f

What might the problem be, and How can I correct it?

List Box at name 1 Reputation point

2021-07-06T21:12:00.38+00:00

Looking again, the output message from certutil probably means

Pending: 1

not

1 Errors:

List Box at name 1

II discovered I can use the verbose option here. The verbose output is:

7/6/2021 2:43 PM 14.488s :: Check certificate files in directory <certs>
7/6/2021 2:43 PM 14.488s :: Open OCSP subject certificate file -- saratoga.candy-land.name_exchange_20210630145440_exchange.p7b
7/6/2021 2:43 PM 14.498s :: Add OCSP response file -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>
7/6/2021 2:43 PM 14.498s :: Waiting for 1 download OCSP reponses to complete

====  Downloaded OCSP Responses  ====
7/6/2021 2:43 PM 14.498s :: Error => Pending OCSP response download -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>

Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2

CertUtil: -downloadOcsp command completed successfully.

Daisy Zhou 13,021 Reputation points Microsoft Vendor

2021-07-09T04:58:11.513+00:00

Hello @List Box at name ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2021-07-12T03:56:47.553+00:00

Hello @List Box at name ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

List Box at name 1 Reputation point

2021-07-06T21:12:00.38+00:00

Looking again, the output message from certutil probably means

Pending: 1

not

1 Errors:
List Box at name 1 Reputation point

2021-07-06T21:49:44.24+00:00

II discovered I can use the verbose option here. The verbose output is:

7/6/2021 2:43 PM 14.488s :: Check certificate files in directory <certs> 7/6/2021 2:43 PM 14.488s :: Open OCSP subject certificate file -- saratoga.candy-land.name_exchange_20210630145440_exchange.p7b 7/6/2021 2:43 PM 14.498s :: Add OCSP response file -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b> 7/6/2021 2:43 PM 14.498s :: Waiting for 1 download OCSP reponses to complete ==== Downloaded OCSP Responses ==== 7/6/2021 2:43 PM 14.498s :: Error => Pending OCSP response download -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b> Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2 CertUtil: -downloadOcsp command completed successfully.
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2021-07-09T04:58:11.513+00:00

Hello @List Box at name ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2021-07-12T03:56:47.553+00:00

Hello @List Box at name ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 1

Daisy Zhou 13,021 Microsoft Vendor

Hello @List Box at name ,

Thank you for posting here.

To better understand your question, please confirm the following information at your convenience:

1.Based on the description above, you configured the OCSP responder through openssl 1.1.1f instead of on one Windows CA server, is it right?

2.Where did you run the command above (on one Windows server or Windows client)?

3.Does ocsp responce is a file? If so, why did not you copy the file to all these Windows machines manually?

I cannot see such command (certutil with parameter -downloadocsp) based on the certutil command usage.
certutil
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

List Box at name 1

1) Yes, the OCSP responder is openssl 1.1.1f, NOT Windows CA server,
2) I ran the certutil command on BOTH Windows Server 2019 and Windows 10 Pro, both had the same results.
3) No, OCSP responders use HTTP. The "downloadOcsp" verb in certutil coonnects via the AIA extension in the certificates found in the .\certs directory.
4) The downloadOcsp is documented in the certutil command itself. To see the documentation, you need to use
"CertUtil -v -?" and scroll back up to read the section on downloadOcsp. The text reads:

  CertUtil [Options] -downloadOcsp CertificateDir OcspDir [ThreadCount] [Modifiers]
  Download OCSP Responses and Write to Directory
    CertificateDir -- directory of certificate, store and PFX files.
    OcspDir        -- directory to write OCSP responses.
    ThreadCount    -- optional maximum number of threads for concurrent downloading. Default is 10.
    Modifiers -- Comma separated list of one or more of the following:
            DownloadOnce -- Download once and exit
            ReadOcsp -- Read from OcspDir instead of writing
    By default, certutil won't exit and must be explicitly terminated.
    Modifiers:
      DownloadOnce
      ReadOcsp

Daisy Zhou 13,021 Reputation points Microsoft Vendor

2021-07-07T08:09:24.743+00:00

Hello @List Box at name ,

Thank you for your update.

Does it mean you need to approve the download request on openssl 1.1.1f manually?

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

What does certutil downloadocsp error "Error => Pending OCSP response download" mean?

1 answer

Activity