Assume the following scenario:
- After installing an online responder (OCSP), setting up a revocation configuration and adjusting the certification authority or Configuring a group policy that forces clients to use the online responder, falls at the Function test that this nevertheless does not work.
- The OCSP address check reports HTTP status 404 (not found).
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
The management console for the Enterprise PKI (pkiview.msc) displays the status "Error".
More precisely, you can check the status by exporting any valid certificate as a file and performing a check via command line:
certutil -verify -urlfetch {filename-certificate}.cer
Checking the Default Web Site in the Internet Information Services Manager shows that the required virtual folder "ocsp" does not exist.
The virtual folder can be created with the following command line command:
certutil -voscproot
The setting is effective without restarting the Web Server service.
Please note that the enterprise PKI management console will still display an error because the previous negative response is cached client-side. To clear this cache, see the article "View and clear the revocation list address cache (CRL URL Cache).„.