Some third-party Online Certificate Status Protocol (OCSP) clients may reject a response from an OSCP responder if this OCSP responder receives a Response Signing certificate from a Windows Server 2008 certification authority

Applies to: Windows Server 2008 DatacenterWindows Server 2008 EnterpriseWindows Server 2008 Standard


Consider the following scenario:
  • An Online Certificate Status Protocol (OCSP) responder obtains a Response Signing certificate from a Windows Server 2008 certification authority (CA).
  • Some third-party OCSP clients use this OCSP server to verify certificates.
In this scenario, these OCSP clients may reject a response from the OCSP responder. When the response is rejected, a function failure occurs for some third-party OCSP clients, such as Cisco routers.


A Windows Server 2008 CA issues a Response Signing certificate to an OCSP responder. The NoRevCheck extension of this certificate contains a zero-length value instead of an ASN null value. The OCSP responder uses this certificate to respond to queries from OCSP clients.

Some third-party OCSP clients require that the value of the NoRevCheck extension is an ASN null value. Therefore, these third-party OCSP clients reject the response from the OCSP responder.


Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.


To apply this hotfix, you must have Windows Server 2008 with Certificate Services installed on the computer.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2008 file information notes

The MANIFEST files (.manifest) and MUM files (.mum) installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are important to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.
For all supported 32-bit versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
For all supported 64-bit versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

The Microsoft Online Responder service makes it possible to configure and manage OCSP checks of validation and of revocation in Windows-based networks. The Online Responder snap-in enables you to configure and manage revocation configurations and Online Responder Arrays to support public key infrastructure (PKI) clients in diverse environments.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Additional file information for Windows Server 2008

Additional files for all supported 32-bit versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Package_for_kb960549_client_1~31bf3856ad364e35~x86~~ Applicable1,84825-Nov-200821:23Not Applicable
Package_for_kb960549_client~31bf3856ad364e35~x86~~ Applicable1,43125-Nov-200821:23Not Applicable
Package_for_kb960549_sc_0~31bf3856ad364e35~x86~~ Applicable1,42225-Nov-200821:23Not Applicable
Package_for_kb960549_sc~31bf3856ad364e35~x86~~ Applicable1,42325-Nov-200821:23Not Applicable
Package_for_kb960549_server_0~31bf3856ad364e35~x86~~ Applicable2,11725-Nov-200821:23Not Applicable
Package_for_kb960549_server~31bf3856ad364e35~x86~~ Applicable1,43125-Nov-200821:23Not Applicable
Package_for_kb960549_winpesrv_0~31bf3856ad364e35~x86~~ Applicable1,42225-Nov-200821:23Not Applicable
Package_for_kb960549_winpesrv~31bf3856ad364e35~x86~~ Applicable1,43025-Nov-200821:23Not Applicable
X86_microsoft-windows-c..ervices-ca-certpdef_31bf3856ad364e35_6.0.6001.22317_none_bdc5b28a0ea37c86.manifestNot Applicable32,92425-Nov-200806:38Not Applicable
X86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22317_none_d803882d55c6ef90.manifestNot Applicable62,02825-Nov-200806:39Not Applicable
Additional files for all supported 64-bit versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-c..ervices-ca-certpdef_31bf3856ad364e35_6.0.6001.22317_none_19e44e0dc700edbc.manifestNot Applicable32,96025-Nov-200807:13Not Applicable
Amd64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22317_none_342223b10e2460c6.manifestNot Applicable61,71525-Nov-200807:15Not Applicable
Package_for_kb960549_client_1~31bf3856ad364e35~amd64~~ Applicable1,86025-Nov-200821:23Not Applicable
Package_for_kb960549_client~31bf3856ad364e35~amd64~~ Applicable1,43925-Nov-200821:23Not Applicable
Package_for_kb960549_sc_0~31bf3856ad364e35~amd64~~ Applicable1,43025-Nov-200821:23Not Applicable
Package_for_kb960549_sc~31bf3856ad364e35~amd64~~ Applicable1,43125-Nov-200821:23Not Applicable
Package_for_kb960549_server_0~31bf3856ad364e35~amd64~~ Applicable2,13125-Nov-200821:23Not Applicable
Package_for_kb960549_server~31bf3856ad364e35~amd64~~ Applicable1,43925-Nov-200821:23Not Applicable
Package_for_kb960549_winpesrv_0~31bf3856ad364e35~amd64~~ Applicable1,43025-Nov-200821:23Not Applicable
Package_for_kb960549_winpesrv~31bf3856ad364e35~amd64~~ Applicable1,43825-Nov-200821:23Not Applicable
X86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22317_none_d803882d55c6ef90.manifestNot Applicable62,02825-Nov-200806:39Not Applicable