Renew OCSP Response Signing Certificates with an Existing Key

Applies To: Windows Server 2008 R2

Online Certificate Status Protocol (OCSP) Response Signing certificates need to be signed by the same certification authority (CA) key that was used to sign the end-entity certificates that they provide status for.

After a CA key is renewed, the CA will be using the new key to sign newly issued certificates. In the period between the time a CA certificate is renewed and the expiration date of the original CA certificate, the CA cannot issue or renew OCSP Response Signing certificates, which may prevent an Online Responder from signing OCSP responses.

To overcome this issue, Windows Server 2008 R2–based CAs and Windows Server 2008–based CAs can be configured to modify the default behavior and allow OCSP Response Signing certificates to be issued by using a renewed CA key.

You must be an administrator on the server hosting the CA to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.

To allow OCSP Response Signing certificates to be renewed by using existing CA keys

  1. On the CA computer, open a command prompt, and type:

    certutil -setreg ca\UseDefinedCACertInRequest 1

  2. Press ENTER.

  3. Restart the CA service.

Additional references