Skip to main content


Showing posts from June, 2013

OCSP response unauthorized or unsuccessful

Windows OCSP client requires that the OCSP responder URL is populated in the AIA extension. If it is not included, Windows will not form the OCSP request properly and the validation will fail with Certutil status of "Unsuccessful". The same certificate was successfully validated by a Cisco ASA OCSP client.  According to the RFC2560 Apendix A.1.1: {url} may be derived from the value of AuthorityInfoAccess or other local configuration of the OCSP client. This does not seem to be the case in Microsoft's implementation.  OCSP responder address is specified in the Authority Information Access (AIA) extension.  In Windows CA, this is configured in the properties of the CA on the"Extensions" tab.  Once configured all newly issued certificates will include the OCSP responder address. Without the OCSP extension validation using certutil fails. According to RFC2560, an OCSP request must specify hashing algorithm, issuer name hash, issuer