Troubleshoot Online Responders

Applies To: Windows Server 2008, Windows Server 2012

This section lists a few common issues you may encounter when using the Online Responder snap-in or working with Online Responder Arrays. For more information about troubleshooting and resolving problems with Online Responders, see Active Directory Certificate Services Troubleshooting (https://go.microsoft.com/fwlink/?LinkId=89215).

What problem are you having?

  • The Online Responder service did not start.

  • The Online Responder's signing certificate could not be located.

  • An attempt to create a revocation configuration failed.

  • The signing certificate for the Online Responder configuration will expire soon.

  • The signing certificate for the revocation configuration has expired.

  • An Online Responder revocation configuration cannot be loaded.

  • The Online Responder service could not retrieve a CRL for the specified revocation configuration.

The Online Responder service did not start.
  • Cause: The Online Responder service can fail to start because of corrupted registry information or insufficient system resources.

  • Solution: Try to restart the Online Responder service from the Services snap-in (services.msc). If the Online Responder service fails to start, check the event log for other errors that may be related to this failure. If not enough system resources are available to start the Online Responder service, try to restart the computer or free system resources. If the registry information is corrupted, you must use Server Manager to uninstall and reinstall the Online Responder service.

The Online Responder's signing certificate could not be located.
  • Cause: The OCSP Response Signing certificate is not present in either the Personal certificate store for the computer account or, if the signing certificate should have been issued by using autoenrollment, autoenrollment was not completed.

  • Solution: If an OCSP Response Signing certificate is not present in the Personal certificate store for the local computer, and the revocation is configured for manual OCSP Response Signing certificate enrollment or auto-discovery, you should enroll for a certificate manually. For configurations in which the Online Responder service enrolls for its certificate, manual enrollment will not work and you need to identify the reason that autoenrollment did not work. Possible reasons include:

    • The computer on which the Online Responder service is running cannot connect to a certification authority (CA) that has been configured to issue certificates based on the OCSP Response Signing template.

    • The Online Responder does not have Read, Enroll, and, if autoenrollment is being used, Autoenroll permissions on the OCSP Response Signing template.

An attempt to create a revocation configuration failed.
  • Cause: An attempt to create a revocation configuration failed with the message "Bad signing certificate on Array Controller."

  • Solution: Verify that OCSP Response Signing certificate template has been correctly configured. Otherwise, configure the certificate template to allow manual enrollment for these signing certificates.

The signing certificate for the Online Responder configuration will expire soon.
  • Cause: When autoenrollment is not being used, a reminder to renew an expiring certificate is generated automatically when a certificate has a configured percentage of its lifetime left (by default, this is 10 percent of its total validity period). You can check the time remaining on the current signing certificate by using the Certificates snap-in to examine the OCSP Response Signing certificate in the Personal certificate store of the computer or the Online Responder service.

  • Solution: If the OCSP Response Signing certificate template has been configured for automatic enrollment and renewal, further action may not be needed. For manual configurations, you can renew the signing certificate by using the Certificates snap-in and the Certificate Renewal Wizard.

The signing certificate for the revocation configuration has expired.
  • Cause: Automatic renewal of the signing certificate failed, or manual certificate renewal was not completed before the expiration date.

  • Solution: For configurations in which the Online Responder service enrolls for its certificate, manual enrollment will not work and you need to identify the reason that autoenrollment did not work. Possible reasons include:

    • The computer on which the Online Responder service is running cannot connect to a CA that has been configured to issue certificates based on the OCSP Response Signing template.

    • The Online Responder does not have Read, Enroll, and Autoenroll permissions on the OCSP Response Signing template.

    A CA administrator should use the Certification Authority and Certificate Templates snap-ins to verify the availability and configuration of the OCSP Response Signing template before autoenrollment can be tried again.

    If the revocation configuration is set up for manual enrollment of the OCSP Response Signing certificate, locate the signing certificate within the Online Responder computer's local computer Personal certificate store.

    For manual configurations, you can renew the signing certificate by using the Certificates snap-in and the Certificate Renewal Wizard.

    It is also possible that the OCSP Response Signing certificate could not be renewed because the CA key that was used to sign the original OCSP Response Signing certificate has been renewed and is no longer available. To overcome this problem, you must allow the OCSP Response Signing certificate to be renewed with an existing key. For more information, see Renew OCSP Response Signing Certificates with an Existing Key.

An Online Responder revocation configuration cannot be loaded.
  • Cause: The revocation configuration has become corrupted.

  • Solution: Use the Online Responder snap-in to delete and re-create the revocation configuration. If this problem occurred on an Array member, you can delete the corrupted configuration from the Array member and then synchronize the Array to re-create the revocation configuration. If you are encountering this problem on an Array controller, temporarily set another computer as the Array controller, synchronize the Array, and then reset the original computer to be the Array controller.

The Online Responder service could not retrieve a CRL for the specified revocation configuration.
  • Cause:Certificate revocation list (CRL) publication failed, CRL distribution points are invalid, or the Online Responder service could not access the published CRL.

  • Solution: To identify and address CRL retrieval problems for an Online Responder:

    1. Use the Online Responder snap-in to verify that the URLs configured for base and delta CRL distribution points are valid.

    2. Use the Certification Authority snap-in to verify the URLs to which the CA will publish base and delta CRLs.

    3. On the computer to which the base CRL is published, examine the Freshest CRL extension for the base CRL. Verify that this identifies a location where the delta CRL can be found.

    4. Republish the current CRL, if necessary, by typing the following command at a command prompt: certutil -crl

    5. Then, verify that Online Responder service can access the CRL. From the Online Responder snap-in, right-click Array Configuration, and click Refresh Revocation Data.