OCSP Responder cannot find Keyset

Question

OCSP Responder cannot find Keyset

Iulian Aciobanitei 1

Hi,

I am trying to configure an OCSP Responder on Windows Server 2016.
I managed to installed the OCSP Reponder role and the Revocation Configuration.

For the signing certificate, I created a CSR with certreq -New, signed it with an external CA and then used certreq -Accept to bind the cert to the private key.
When I assign the certificate to the Revocation Configuration, I receive the following error: Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)

If I use certutil -store my, I can see Signature test passed:

Serial Number: 6cdfdcd3ea7249059a930839
NotBefore: 15.07.2021 20:43
NotAfter: 15.07.2022 20:43
Subject: CN=***, C=RO
Non-root Certificate
Cert Hash(sha1): b700bb78841fdbf04201e8993a1ee78c3d99fd6f
Key Container = 3232281044959491735dbcae07eee658_b35742b4-3738-426e-b437-1650b03eb56b
Simple container name: tq-c437bd7f-a979-4b22-9c78-ca6c2e9d9ac3
Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.
Also, In the Machine Key Store, I can see the certificate with the message: "You have a private key that corresponds to this certificate".

I also tried to create the key pair (certreq cmd) using another provider: Microsoft Enhanced Cryptographic Provider v1.0, but I received the same error.

Does anyone have any idea why I am facing this problem?

Anonymous

2021-07-19T05:46:45.22+00:00

Hello @Iulian Aciobanitei ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Anonymous

2021-07-22T05:04:00.77+00:00

Hello @Iulian Aciobanitei ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

1 answer

Your answer

Anonymous

2021-07-19T05:46:45.22+00:00

Hello @Iulian Aciobanitei ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Anonymous

2021-07-22T05:04:00.77+00:00

Hello @Iulian Aciobanitei ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 1

Hello @Iulian Aciobanitei ,

Thank you for posting here.

What is the external CA you mentioned? Do you have Windows CA server?

Please check if CA service starts.

If CA service start and run normally.

Please run certutil -v -verifykeys to check if there is the same error message.

Maybe you will see "missing stored keyset" in the outputs.

Certutil -v -store my will tell you further if the CA keys are stored in software based csp/ksp or on HSM.

Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Share via

OCSP Responder cannot find Keyset

1 answer

Your answer