Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have the Microsoft Online Responder service installed on a server that is running Windows Server 2008 R2 or Windows Server 2012 R2.
  • The server is used to configure and manage Online Certificate Status Protocol (OCSP) validation.

In this scenario, the Online Responder service does not return a deterministic value of GOOD for all certificates that are not included in the Certificates Revocation List (CRL).

↑ Back to the top


Cause

This problem occurs because the OCSP does not verify with a confirmed source that the certificate was actually issued by its corresponding Certificate Authority. Instead, if a certificate is not included in the CRL, the Online Responder service assumes that the certificate is valid and returns a value of GOOD.

↑ Back to the top


Resolution

To resolve this issue in Windows 8.1 or Windows Server 2012 R2, install update 2967917. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2967917 July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

To resolve this issue in Windows 7 or Windows Server 2008 R2, install the hotfix that is described in the "Hotfix information" section in this article.

Before you install this hotfix, you must configure the OCSP service to read serial numbers that are issued by the Certificate Authority. To do this, follow the steps in this section to create a directory location in which to save the serial number files and to create registry keys that point to this directory.

Notes
  • The directory can be located on a network share or hosted on a local computer. If you set up an array configuration, we recommend that you host the directory on a network share so that all array members can have "Read" access to it.
  • Regardless of where the directory is located, make sure that the OCSP service has the Read permission to the directory. The registry settings will not apply to any Microsoft Online Responders that are not patched by this hotfix.

Configure the OCSP service

Run the following steps on the Certificate Authority computer for which you have configured the OCSP service.

Step 1: Directory structure

  1. Start Notepad, and then paste the following sample script into a new document:

    param(
    [ValidateScript({Test-Path $_})]
    [String] $Path
    )
    pushd $Path
    dir | foreach {
    remove-item $_ -force
    }
    certutil.exe -out serialnumber -restrict "Disposition = 20" -view | foreach {
    if($_ -match 'Serial Number: "([^"]+)"') {
    New-Item -type File $matches[1] | out-null
    }
    }
    popd
  2. Save the new document as Certs.ps1.
  3. Create a directory in which empty files that correspond to all issued serial numbers are to be stored.
  4. Run the Certs.ps1 script. To do this, run the following command in Windows PowerShell:

    Certs.ps1 <directory location created in step 3>
  5. Examine the directory that you created in step 3 to make sure that the files correspond to the issued serial numbers.

    Note If you have multiple CAs hosted in your environment, make sure that their corresponding serial number directories are different. Do not share the same directory between different CAs.
  6. Run the script on the CA computer, and upload the saved file by giving it restrictive ACLs. The file should not be editable. Make sure that all the Microsoft Online Responder computers can access this location.
More information about this procedure
Microsoft Online Responder returns a value of UNKNOWN for all certificates that are issued but not yet in the file that is created in step 6. This script must be run at a regular interval and refreshed in order for Microsoft Online Responder to provide an up-to-date status. This interval setting will depend on your specific deployment environment. We recommend that you select a suitable interval anywhere from four hours to the value of the Next CRL publishing date.

Step 2: Registry

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Exit all Windows applications.
  2. Click Start, click Run, type regedit, and then click OK.
  3. Locate and then select the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OcspSvc\Responder
  4. Click the certification authority (CA) for which you created the directory structure.
  5. Right-click Provider Node, point to New, and then click Multi-String Value.
  6. Type IssuedSerialNumbersDirectories, and then press Enter.
  7. Right-click IssuedSerialNumbersDirectories, and then click Modify.
  8. In the Value data box, type the path to the directory you created in step 3 of the directory structure procedure and that contains the issued serial numbers, and then click OK.

    For the directory path, use the following format:


    \\<computername>\<directorylocation>
    For example, use a path that resembles the following:


    \\contoso-ocspfileserver\SerialNumbers
  9. On the File menu, click Exit to exit Registry Editor.
  10. Install the hotfix package that is mentioned in this article.
After you follow the “Directory structure” and “Registry” steps, install the hotfix package that is mentioned in this article.

Results

After the hotfix is installed, the Online Responder service should do the following:
  • Return a value of GOOD for the certificates that are verified
  • Return a value of REVOKED for the certificates that are included in the CRL
  • Return a value of UNKNOWN for all other certificates that cannot be verified

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Service Pack 1 for Windows 7 or Windows Server 2008 R2 installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any previously released hotfix.

↑ Back to the top


File information
The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows 7 and Windows Server 2008 R2 file information and notes

Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies to" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.

    VersionProductSR_LevelService branch
    6.1.760
    1. 22xxx
    Windows 7 and Windows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 7 and Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows 7
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certadm.dll6.1.7601.22705311,80830-May-201407:35x86NoneNot applicable
Ocsprevp.dll6.1.7601.22705151,55230-May-201407:35x86SPRX86_MICROSOFT-WINDOWS-C..RVICES-OCSP
For all supported x64-based versions of Windows 7 and Windows Server 2008 R2
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certadm.dll6.1.7601.22705419,84030-May-201408:00x64NoneNot applicable
Ocsprevp.dll6.1.7601.22705184,83230-May-201408:00x64SPRAMD64_MICROSOFT-WINDOWS-C..RVICES-OCSP
Certadm.dll6.1.7601.22705311,80830-May-201407:35x86NoneNot applicable

Additional file information for Windows 7 and Windows Server 2008 R2

Additional files for all supported x86-based versions of Windows 7
File propertyValue
File nameX86_74cf6012e0c0848e4278d81edb498f57_31bf3856ad364e35_6.1.7601.22705_none_687e23128c3d4f60.manifest
File versionNot applicable
File size720
Date (UTC)30-May-2014
Time (UTC)13:22
PlatformNot applicable
File nameX86_ba7892133a8ba51b64cdd01b6c369fc1_31bf3856ad364e35_6.1.7601.22705_none_e2bdab049b2b9eb7.manifest
File versionNot applicable
File size719
Date (UTC)30-May-2014
Time (UTC)13:22
PlatformNot applicable
File nameX86_microsoft-windows-c..ervices-certadm-dll_31bf3856ad364e35_6.1.7601.22705_none_ee75b6303a02d65e.manifest
File versionNot applicable
File size63,628
Date (UTC)30-May-2014
Time (UTC)07:59
PlatformNot applicable
File nameX86_microsoft-windows-c..rvices-ocsprevp-dll_31bf3856ad364e35_6.1.7601.22705_none_aabdbfd684b7bee2.manifest
File versionNot applicable
File size11,236
Date (UTC)30-May-2014
Time (UTC)08:00
PlatformNot applicable
Additional files for all supported x64-based versions of Windows 7 and Windows Server 2008 R2
File propertyValue
File nameAmd64_289c1acfb9c833300b9be057dddaf8ce_31bf3856ad364e35_6.1.7601.22705_none_3849b07ccfc921b1.manifest
File versionNot applicable
File size723
Date (UTC)30-May-2014
Time (UTC)13:22
PlatformNot applicable
File nameAmd64_ba7892133a8ba51b64cdd01b6c369fc1_31bf3856ad364e35_6.1.7601.22705_none_3edc468853890fed.manifest
File versionNot applicable
File size721
Date (UTC)30-May-2014
Time (UTC)13:22
PlatformNot applicable
File nameAmd64_d2636d483577d32262fc058a8024fde6_31bf3856ad364e35_6.1.7601.22705_none_272f59c3d10b686a.manifest
File versionNot applicable
File size724
Date (UTC)30-May-2014
Time (UTC)13:22
PlatformNot applicable
File nameAmd64_microsoft-windows-c..ervices-certadm-dll_31bf3856ad364e35_6.1.7601.22705_none_4a9451b3f2604794.manifest
File versionNot applicable
File size63,632
Date (UTC)30-May-2014
Time (UTC)08:30
PlatformNot applicable
File nameAmd64_microsoft-windows-c..rvices-ocsprevp-dll_31bf3856ad364e35_6.1.7601.22705_none_06dc5b5a3d153018.manifest
File versionNot applicable
File size11,240
Date (UTC)30-May-2014
Time (UTC)08:30
PlatformNot applicable
File nameX86_microsoft-windows-c..ervices-certadm-dll_31bf3856ad364e35_6.1.7601.22705_none_ee75b6303a02d65e.manifest
File versionNot applicable
File size63,628
Date (UTC)30-May-2014
Time (UTC)07:59
PlatformNot applicable

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More Information

This hotfix provides a design change that makes the Microsoft OCSP Responder aware of all certificates about which the following is true:
  • They are issued by the CA.
  • They are not revoked.
  • They are currently in their own validity period.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbexpertiseinter, kbsurveynew, kbbug

↑ Back to the top

Article Info
Article ID : 2960124
Revision : 1
Created on : 1/7/2017
Published on : 7/8/2014
Exists online : False
Views : 285