OCSP Server – Bad Signing Certificate On Array Controller

OCSP KB ID 0001145 

Problem

I had a client ring in the other day, they have a three tier PKI solution on Windows Certificate Services, that I put in about a year ago, it has been running fine, but now they were seeing some errors.

Bad signing certificate on Array controller.

The following errors were also being logged;

Event ID 23

[box]

Log Name:      Application
Source:        Microsoft-Windows-OnlineResponder
Date:          12/01/2016 08:44:01
Event ID:      23
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      PKICRL00v
Description:
The Online Responder Service could not locate a signing certificate for configuration 
inter00.(Cannot find the original signer. 0x8009100e
 (-2146889714 CRYPT_E_SIGNER_NOT_FOUND))

[/box]

Event ID 34

[box]

Log Name:      Application
Source:        Microsoft-Windows-OnlineResponder
Date:          12/01/2016 08:44:01
Event ID:      34
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      PKICRL00v
Description:
The Online Responder Service encountered an error while submitting the enrollment request
 for configuration inter00 to certification authority PKIINTER00v\PKIINTER00V. The request
 ID is 0.(The system cannot find the file specified. 0x80070002 
(WIN32: 2 ERROR_FILE_NOT_FOUND))

[/box]

OCSP Solution

I quickly ascertained that removing and adding the nodes, didn’t fix the problem. On the OCSP server, launch an MMC session, and add in the Certificates snap-in for local computer. Do a manual enrolment, but in the details, set the issuing CA to one of the CA’s that is displaying an error, (using the OCSP Responder certificate template). Repeat for each CA.

Now add each node, but choose ‘manually select a signing certificate’.

Then assign the certificate, and choose the correct cert for each node.

Related Articles, References, Credits, or External Links

NA

Leave a Reply

Your email address will not be published. Required fields are marked *