Overview of Windows events generated by the online responder (OCSP)

The following is an overview of the events generated by the online responder (OCSP) in the Windows Event Viewer.

The events of the online responder are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.

Event Sources

The events of the online responder are written to the application log. The following sources contain OCSP events:

  • OnlineResponder
  • OnlineResponderRevocationProvider (Microsoft-Windows-OnlineResponderRevocationProvider)
  • OnlineResponderWebProxy

Predefined view in the Windows Event Viewer

An appropriately filtered view is preconfigured in the Active Directory Certificate Services category on each system where the online responder is installed.

Microsoft-Windows-OnlineResponder event source

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

IDTypeEvent text
17InformationOnline Responder Service was started.
18InformationOnline Responder Service was stopped.
20ErrorThe Online Responder Service did not start: %1.
21Error%1: The Online Responder Service detected an exception at address %2. Flags = %3. The exception is %4.
22ErrorOCSP Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless exhaustive logging is enabled, this error will only be logged every 20 minutes.
23ErrorThe Online Responder Service could not locate a signing certificate for configuration %1.(%2)
24InformationThe Online Responder Service successfully (re)loaded a signing certificate for configuration %1.
25WarningThe signing certificate for Online Responder configuration %1 will expire soon.
26ErrorThe signing certificate for Online Responder configuration %1 has expired. OCSP requests for this configuration will be rejected.
27WarningThe signing certificate for Online Responder configuration %1 was not updated(%2).
28InformationThe signing certificate for Online Responder configuration %1 has been renewed. The hash for the new certificate can be located in additional data.
29ErrorSettings for Online Responder configuration %1 cannot be loaded. OCSP requests for this configuration will be rejected.(%2)
31WarningPerformance counters for the Online Responder Service cannot be initialized.
32InformationThe Online Responder Service detected a change in the signing certificate template version for configuration %1. The old version was (%2,%3), the new version is (%4,%5).
33ErrorThe Online Responder Service failed to create an enrollment request for the signing certificate template %2 for configuration %1.(%3).
34ErrorThe Online Responder Service encountered an error while submitting the enrollment request for configuration %1 to certification authority %2. The request ID is %3.(%4)
35ErrorThe Online Responder Service failed to install the enrollment response for configuration %1 for the signing certificate template %2 . The request ID is %3.(%4)
36 InformationThe Online Responder Service successfully enrolled for a new signing certificate for configuration %1. The new certificate's hash can be located in additional data.
37WarningThe signing certificate for Online Responder configuration %1 does not include the mandatory OCSP No Revocation Checking extension. You must configure an OCSP Response Signing certificate template to include this extension in all OCSP Response Signing certificates. For more information, see Configure a CA to Support OCSP Responders in the Online Responder console Help.

Microsoft-Windows-OnlineResponderRevocationProvider event source

IDTypeEvent text
16WarningFor configuration %1, Online Responder revocation provider failed to update the CRL Information: %2.
17ErrorFor configuration %1, Online Responder revocation provider either has no CRL information or has stale CRL information.
18ErrorFor configuration %1, Online Responder revocation provider found a delta CRL referring to a newer Base CRL.

Microsoft-Windows-OnlineResponderWebProxy event source

IDTypeEvent text
17ErrorThe Online Responder web proxy failed to Initialize. %1
18InformationThe Online Responder web proxy is successfully loaded.
19InformationThe Online Responder web proxy is unloaded.
20InformationThe Online Responder web proxy detected an invalid configuration for the %1 property. The value was changed from %2 to %3.
21ErrorThe Online Responder web proxy did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. This error will only be logged every 20 minutes.

Related links:

External sources

One thought on “Übersicht über die vom Onlineresponder (OCSP) generierten Windows-Ereignisse”

Comments are closed.

en_USEnglish