Microsoft Online Responder can't service an OCSP request that contains multiple certificates

Windows Server 2008 R2 EnterpriseWindows Server 2012 R2 DatacenterWindows Server 2012 R2 Essentials

Symptoms


You have the following two public key infrastructure (PKI) environments in Windows Server 2012 R2 or in Windows Server 2008 R2:
  • An enterprise PKI environment that consists of an offline root certification authority (CA) and an online enterprise issuing subordinate CA.
  • A stand-alone (non-domain) root CA that's used for external (non-corpnet) purposes. The stand-alone root CA also has its revocation configuration supported by the enterprise Online Responder nodes. For example, there is only one Online Certificate Status Protocol (OCSP) server, and it supports two PKI infrastructures.

In this situation, the Microsoft Online Responder caters only to OCSP requests that contain single requests for any of the previously mentioned CAs. If the OCSP request contains multiple requests for all these configured CAs, Microsoft Online Responder fails to respond even though the CAs are configured.

Cause


This problem occurs because Windows is not compliant with RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, even though it is compliant with RFC 5019 – Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments. Therefore, the Microsoft Online Responder in Windows does not support more than one certificate in a single OCSP request.

Resolution


To resolve this issue, install update 2967917 for Windows Server 2012 R2, or install the hotfix that is described in this article.

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to Microsoft Online Responder installations that cater to OCSP clients that support multiple requests. (For example, note that a Windows client does not support multiple requests in an OCSP request). This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Registry information

To enable this hotfix and to allow for multiple certificates in a single OCSP response, you must change the following registry subkey:

Registry location:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OCSPSvc\Responder
DWORD name: MaxNumOfRequestEntries
DWORD Value: A value greater than 1

Note The default setting for the MaxNumOfRequestEntries DWORD value is 1.

Additional notes
  1. Learn about the UrlSegmentMaxLength registry subkey. If this subkey is not set correctly, IIS does not receive the request and HTTP.sys fails. Additionally, IIS logs are empty, and an error 400 is returned. This issue limits the segment lengths, and you must restart the computer.
  2. Learn about how to make sure that the Request Limits MaxUrl attribute is set appropriately for larger requests. If this is set incorrectly, IIS returns error 404.14, and the path length is limited.
  3. There is a difference between note 1 and note 2. Note 1 concerns each segment in the path, whereas note 2 pertains to the complete path.

    For example:

    http://server/ocsp/request

    • A segment is any part of the path that is delimited by the forward slash (/) character. In this example, "ocsp" and "request" are separate segments because they are separated by the forward slash character.
    • In this path, /ocsp/request is the path.

Prerequisites

To apply this hotfix, you must have Service Pack 1 for Windows Server 2008 R2 installed, or run in Windows Server 2012 R2.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any previously released hotfix.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


Learn about the terminology that Microsoft uses to describe software updates.