Event ID 25 — AD CS Online Responder Service

  • Article

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 25
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_W_CACONFIG_SIGNINGCERT_EXPIRING
Message: Online Responder Services: For revocation configuration %1, the signing certificate is going to expire soon.

Resolve

Renew the signing certificate for the Online Responder*

In order to function, an Online Responder needs to have a valid OCSP Response Signing certificate. Therefore, you need to renew the signing certificate.

For revocation configurations using manual enrollment for signing certificates, complete the following procedures:

  • Manually renew the OCSP Response Signing certificate.
  • Assign the OCSP Response Signing certificate to a revocation configuration.
  • Refresh revocation data.

For revocation configurations using automatic enrollment for signing certificates, renewal should take place without user intervention. Therefore, if renewal does not take place, it is probably blocked for some reason. Check the event log for additional errors or warnings that may be related to this error. If no other information is available, complete the following procedures:

  • Confirm that a certification authority (CA) is accessible. 
  • Confirm that the OCSP Response Signing certificate template is properly configured.
  • Confirm that the OCSP Response Signing certificate template is available on the CA.

If renewal is still not possible, or if the OCSP Response Signing certificate cannot be used, complete the following procedures:

  • Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE.
  • Modify the certificate renewal reminder period.

Manually renew an OCSP Response Signing certificate

To manually renew an OCSP Response Signing certificate:

  1. Click Start, type mmc, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  4. Click Computer account, and click Next.

  5. Select the computer hosting the Online Responder, click Finish, and then click OK.

  6. Double-click Personal, and then double-click Certificates.

  7. Look for any certificates with the OCSP Signing enhanced key usage (EKU) extension.

  8. Right-click the certificate, point to All Tasks, and then click Renew Certificate with New Key or Renew Certificate with Existing Key to start the Certificate Renewal Wizard.

  9. Use the wizard to complete the renewal process. 

  10. After the certificate has been issued, assign it to the revocation configuration by using the following procedure.

Assign an OCSP Response Signing certificate to a revocation configuration

To assign an OCSP Response Signing certificate to a revocation configuration:

  1. Click Start, point to Administrative Tools, and click Online Responder.
  2. In the console tree, expand Array Configuration, and click the node for the computer on which the error was logged.
  3. Right-click the revocation configuration identified in the event log, and click Assign Signing Certificate.
  4. Select the certificate, and click OK.
  5. Click Revocation Configuration,** **and then right-click the revocation configuration.
  6. Click Edit properties, and click the Signing tab. Select the Automatically use renewed signing certificates check box if you do not want to reassign the signing certificate to the revocation configuration manually each time the signing certificate is renewed. If you do not want this assignment to be made automatically, do not select this check box.
  7. When you are finished, use the following procedure to ensure the error does not recur.

Refresh revocation data

To refresh revocation data for an Online Responder by using the Online Responder snap-in:

  1. Click Start, point to Administrative Tools, and then click Online Responder.
  2. Right-click Array Configuration, and click Refresh Revocation Data.
  3. Confirm that no additional errors are reported.
  4. Click the Online Responder node, and confirm that the revocation configuration is listed as Working.
  5. Under Array Configuration, select the Online Responder computer that logged the error, and then click the revocation configuration named in the error.
  6. Under the details pane, view the Revocation Configuration Status pane for the status of the signing certificate and the revocation provider.
  7. Confirm that no additional errors are reported.

Revocation configurations configured for automatic enrollment of signing certificates

The previous procedure assumes that the OCSP Response Signing certificate was configured for manual enrollment and renewal. If the OCSP Response Signing certificate template was configured for autoenrollment, you need to confirm that no other issues are blocking the renewal process.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Confirm that a CA is accessible

To confirm that a CA is accessible by a client:

  1. Open a command prompt window.
  2. Type certutil -ping -config<computer\user> and press ENTER.

Note: If you use -config -, the operation is processed by using the default CA. You must specify the computer or user with permission to enroll for certificates from the CA when you use the -config option. Otherwise, the Select Certification Authority dialog box appears and displays a list of all CAs that are available.

Confirm that a certificate template is properly configured

To confirm that an OCSP Response Signing certificate template is properly configured:

  1. Click Start, type certtmpl.msc, and press ENTER.
  2. Right-click the OCSP Response Signing template, and then click Properties.
  3. Click the Security tab.
  4. Under Group or user name, click Add.
  5. Click Object Types, select the Computers check box, and click OK.
  6. Type the name of or browse to select the computer hosting the Online Responder or Online Certificate Status Protocol (OCSP) responder services, and then click OK.
  7. In the Group or user names dialog box, click the computer name.
  8. In the Permissions dialog box, select the Read, Enroll, and Autoenroll check boxes, and then click OK

Confirm that a certificate template is available to a CA

To publish a certificate template:

  1. Click Start, point to Administrative Tools, and click Certification Authority.
  2. In the console tree, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  3. Select the certificate template, and click OK.

If renewal of the OCSP Response Signing certificate is successful but the certificate cannot be used by the Online Responder service, it is possible that security on the certificate has been misconfigured. By default, the Online Responder service runs as NETWORK SERVICE, so the private key must be accessible by this user context.

Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE

To ensure that the private key for the OCSP Response Signing certificate is accessible to NETWORK SERVICE:

  1. Click Start, type mmc, and then press ENTER. 
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Click Computer account, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. In the console tree, double-click Certificates, double-click Personal, and click Certificates.
  7. In the details pane, click OCSP Response Signing.
  8. On the Actions menu, point to All Tasks, and click Manage Private Keys.
  9. Click Add, type NETWORK SERVICE, and then click OK.
  10. Ensure that only the Read permission is allowed for NETWORK SERVICE, and then click OK.
  11. Restart the Online Responder service.

If the OCSP Response Signing certificate is not valid for signature purposes, enroll for a certificate that includes the id-kp-OCSPSigning EKU, labeled OCSP Signing (1.3.6.1.5.5.7.3.9).

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

Modify the certificate renewal reminder period

To modify the certificate renewal reminder period:

  1. Click Start, type regedit, and then press ENTER.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder.
  3. Add a DWORD registry key named ReminderDuration under this root.
  4. Enter a value between 1 and 100 to indicate the desired percentage.
  5. Stop and restart the Online Responder service to implement the new renewal reminder value.

Note: The reminder duration is an Online Responder-wide property, expressed as a percentage of the certificate lifetime. The default value is 90 percent of the certificate lifetime, but this value can be modified in the registry.

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.

  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.

  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.

  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer* *file.

  6. Open a command prompt window.

  7. Type **certutil -url<exportedcert.cer> **and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

AD CS Online Responder Service

Active Directory Certificate Services