| Event Source: | Microsoft-Windows-OnlineResponder |
| Event ID: | 35 (0x23) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_CACONFIG_INSTALL_ENROLLMENT_RESPONSE_FAILED |
| Event text (English): | The Online Responder Service failed to install the enrollment response for configuration %1 for the signing certificate template %2 . The request ID is %3.(%4) |
| Event text (German): | The online responder service could not install the registration response for the %1 configuration for the %2 signing certificate template. Request ID: %3.(%4) |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: CAConfigurationId (win:UnicodeString)
- %2: CertificateTemplateName (win:UnicodeString)
- %3: RequestId (win:UnicodeString)
- %4: ErrorCode (win:UnicodeString)
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
Description
Occurs when the online responder receives a certificate from the certificate authority when requesting an OCSP password signing certificate that was not signed with the same private key as in the revocation configuration.
This usually occurs when the certificate authority certificate has been renewed with a new key pair, but the certificate authority has not been configured to process the Authority Key Identifier (AKI) extension.
OCSP answer signing certificates must always be signed with the same key as the certificates to be verified. If the certificate authority certificate is renewed with a new key pair, a revocation configuration is required for each of the certificate authority keys that are still valid.
The certification authority will always sign certificates with the key belonging to the latest certification authority certificate. However, since certificates from earlier keys may still be in circulation whose revocation status must be checked, the online responder also needs a revocation configuration for these and an OCSP password signing certificate matching the key for each.
To ensure that the certification authority signs them with the appropriate key, the online responder sends the AKI extension in the certificate request, which must be taken into account by the certification authority. It must be configured explicitly for this purpose, as described in the article "Allow requesting a specific signature key on a certification authority" described.
If the certification authority is not configured accordingly, it will use the Event no. 128 log.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
An alert should be issued here because the availability of the online responder's revocation configuration is impaired and errors or undesirable behavior may occur during certificate revocation checks.
Related links:
- Overview of Windows events generated by the online responder (OCSP)
- Overview of the audit events generated by the online responder (OCSP)
English 
Deutsch
One thought on “Details zum Ereignis mit ID 35 der Quelle Microsoft-Windows-OnlineResponder”
Comments are closed.