Symptoms
Consider the following scenario:
-
You have the Microsoft Online Responder service installed on a server that is running Windows Server 2008 R2 or Windows Server 2012 R2.
-
The server is used to configure and manage Online Certificate Status Protocol (OCSP) validation.
In this scenario, the Online Responder service does not return a deterministic value of GOOD for all certificates that are not included in the Certificates Revocation List (CRL).
Cause
This problem occurs because the OCSP does not verify with a confirmed source that the certificate was actually issued by its corresponding Certificate Authority. Instead, if a certificate is not included in the CRL, the Online Responder service assumes that the certificate is valid and returns a value of GOOD.
Resolution
To resolve this issue in Windows 8.1 or Windows Server 2012 R2, install update 2967917. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2967917 July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 To resolve this issue in Windows 7 or Windows Server 2008 R2, install the hotfix that is described in the "Hotfix information" section in this article.Before you install this hotfix, you must configure the OCSP service to read serial numbers that are issued by the Certificate Authority. To do this, follow the steps in this section to create a directory location in which to save the serial number files and to create registry keys that point to this directory.Notes
-
The directory can be located on a network share or hosted on a local computer. If you set up an array configuration, we recommend that you host the directory on a network share so that all array members can have "Read" access to it.
-
Regardless of where the directory is located, make sure that the OCSP service has the Read permission to the directory. The registry settings will not apply to any Microsoft Online Responders that are not patched by this hotfix.
Configure the OCSP service
Run the following steps on the Certificate Authority computer for which you have configured the OCSP service.
Step 1: Directory structure
-
Start Notepad, and then paste the following sample script into a new document:
param( [ValidateScript({Test-Path $_})] [String] $Path)pushd $Pathdir | foreach { remove-item $_ -force}certutil.exe -out serialnumber -restrict "Disposition = 20" -view | foreach { if($_ -match 'Serial Number: "([^"]+)"') { New-Item -type File $matches[1] | out-null } }popd
-
Save the new document as Certs.ps1.
-
Create a directory in which empty files that correspond to all issued serial numbers are to be stored.
-
Run the Certs.ps1 script. To do this, run the following command in Windows PowerShell:
Certs.ps1 <directory location created in step 3>
-
Examine the directory that you created in step 3 to make sure that the files correspond to the issued serial numbers.Note If you have multiple CAs hosted in your environment, make sure that their corresponding serial number directories are different. Do not share the same directory between different CAs.
-
Run the script on the CA computer, and upload the saved file by giving it restrictive ACLs. The file should not be editable. Make sure that all the Microsoft Online Responder computers can access this location.
More information about this procedure
Microsoft Online Responder returns a value of UNKNOWN for all certificates that are issued but not yet in the file that is created in step 6. This script must be run at a regular interval and refreshed in order for Microsoft Online Responder to provide an up-to-date status. This interval setting will depend on your specific deployment environment. We recommend that you select a suitable interval anywhere from four hours to the value of the Next CRL publishing date.
Step 2: Registry
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
-
Exit all Windows applications.
-
Click Start, click Run, type regedit, and then click OK.
-
Locate and then select the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OcspSvc\Responder
-
Click the certification authority (CA) for which you created the directory structure.
-
Right-click Provider Node, point to New, and then click Multi-String Value.
-
Type IssuedSerialNumbersDirectories, and then press Enter.
-
Right-click IssuedSerialNumbersDirectories, and then click Modify.
-
In the Value data box, type the path to the directory you created in step 3 of the directory structure procedure and that contains the issued serial numbers, and then click OK.For the directory path, use the following format:
\\<computername>\<directorylocation>For example, use a path that resembles the following:
\\contoso-ocspfileserver\SerialNumbers
-
On the File menu, click Exit to exit Registry Editor.
-
Install the hotfix package that is mentioned in this article.
After you follow the “Directory structure” and “Registry” steps, install the hotfix package that is mentioned in this article.
Results
After the hotfix is installed, the Online Responder service should do the following:
-
Return a value of GOOD for the certificates that are verified
-
Return a value of REVOKED for the certificates that are included in the CRL
-
Return a value of UNKNOWN for all other certificates that cannot be verified
Hotfix information
A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
To apply this hotfix, you must have Service Pack 1 for Windows 7 or Windows Server 2008 R2 installed.
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any previously released hotfix.
The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows 7 and Windows Server 2008 R2 file information and notesImportant Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies to" section in articles to determine the actual operating system that each hotfix applies to.
-
The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Version
Product
SR_Level
Service branch
6.1.760 1. 22xxx
Windows 7 and Windows Server 2008 R2
SP1
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
-
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 7 and Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows 7
|
File name |
File version |
File size |
Date |
Time |
Platform |
SP requirement |
Service branch |
|---|---|---|---|---|---|---|---|
|
Certadm.dll |
6.1.7601.22705 |
311,808 |
30-May-2014 |
07:35 |
x86 |
None |
Not applicable |
|
Ocsprevp.dll |
6.1.7601.22705 |
151,552 |
30-May-2014 |
07:35 |
x86 |
SPR |
X86_MICROSOFT-WINDOWS-C..RVICES-OCSP |
For all supported x64-based versions of Windows 7 and Windows Server 2008 R2
|
File name |
File version |
File size |
Date |
Time |
Platform |
SP requirement |
Service branch |
|---|---|---|---|---|---|---|---|
|
Certadm.dll |
6.1.7601.22705 |
419,840 |
30-May-2014 |
08:00 |
x64 |
None |
Not applicable |
|
Ocsprevp.dll |
6.1.7601.22705 |
184,832 |
30-May-2014 |
08:00 |
x64 |
SPR |
AMD64_MICROSOFT-WINDOWS-C..RVICES-OCSP |
|
Certadm.dll |
6.1.7601.22705 |
311,808 |
30-May-2014 |
07:35 |
x86 |
None |
Not applicable |
Additional file information for Windows 7 and Windows Server 2008 R2
Additional files for all supported x86-based versions of Windows 7
|
File property |
Value |
|---|---|
|
File name |
X86_74cf6012e0c0848e4278d81edb498f57_31bf3856ad364e35_6.1.7601.22705_none_687e23128c3d4f60.manifest |
|
File version |
Not applicable |
|
File size |
720 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
13:22 |
|
Platform |
Not applicable |
|
File name |
X86_ba7892133a8ba51b64cdd01b6c369fc1_31bf3856ad364e35_6.1.7601.22705_none_e2bdab049b2b9eb7.manifest |
|
File version |
Not applicable |
|
File size |
719 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
13:22 |
|
Platform |
Not applicable |
|
File name |
X86_microsoft-windows-c..ervices-certadm-dll_31bf3856ad364e35_6.1.7601.22705_none_ee75b6303a02d65e.manifest |
|
File version |
Not applicable |
|
File size |
63,628 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
07:59 |
|
Platform |
Not applicable |
|
File name |
X86_microsoft-windows-c..rvices-ocsprevp-dll_31bf3856ad364e35_6.1.7601.22705_none_aabdbfd684b7bee2.manifest |
|
File version |
Not applicable |
|
File size |
11,236 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
08:00 |
|
Platform |
Not applicable |
Additional files for all supported x64-based versions of Windows 7 and Windows Server 2008 R2
|
File property |
Value |
|---|---|
|
File name |
Amd64_289c1acfb9c833300b9be057dddaf8ce_31bf3856ad364e35_6.1.7601.22705_none_3849b07ccfc921b1.manifest |
|
File version |
Not applicable |
|
File size |
723 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
13:22 |
|
Platform |
Not applicable |
|
File name |
Amd64_ba7892133a8ba51b64cdd01b6c369fc1_31bf3856ad364e35_6.1.7601.22705_none_3edc468853890fed.manifest |
|
File version |
Not applicable |
|
File size |
721 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
13:22 |
|
Platform |
Not applicable |
|
File name |
Amd64_d2636d483577d32262fc058a8024fde6_31bf3856ad364e35_6.1.7601.22705_none_272f59c3d10b686a.manifest |
|
File version |
Not applicable |
|
File size |
724 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
13:22 |
|
Platform |
Not applicable |
|
File name |
Amd64_microsoft-windows-c..ervices-certadm-dll_31bf3856ad364e35_6.1.7601.22705_none_4a9451b3f2604794.manifest |
|
File version |
Not applicable |
|
File size |
63,632 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
08:30 |
|
Platform |
Not applicable |
|
File name |
Amd64_microsoft-windows-c..rvices-ocsprevp-dll_31bf3856ad364e35_6.1.7601.22705_none_06dc5b5a3d153018.manifest |
|
File version |
Not applicable |
|
File size |
11,240 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
08:30 |
|
Platform |
Not applicable |
|
File name |
X86_microsoft-windows-c..ervices-certadm-dll_31bf3856ad364e35_6.1.7601.22705_none_ee75b6303a02d65e.manifest |
|
File version |
Not applicable |
|
File size |
63,628 |
|
Date (UTC) |
30-May-2014 |
|
Time (UTC) |
07:59 |
|
Platform |
Not applicable |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
This hotfix provides a design change that makes the Microsoft OCSP Responder aware of all certificates about which the following is true:
-
They are issued by the CA.
-
They are not revoked.
-
They are currently in their own validity period.
References
Learn about the terminology that Microsoft uses to describe software updates.
