The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL

Applies to: Windows 8.1 EnterpriseWindows 8.1Windows 8.1 Pro More

Symptoms


Consider the following scenario:
  • You have the Microsoft Online Responder service installed on a server that is running Windows Server 2008 R2 or Windows Server 2012 R2.
  • The server is used to configure and manage Online Certificate Status Protocol (OCSP) validation.

In this scenario, the Online Responder service does not return a deterministic value of GOOD for all certificates that are not included in the Certificates Revocation List (CRL).

Cause


This problem occurs because the OCSP does not verify with a confirmed source that the certificate was actually issued by its corresponding Certificate Authority. Instead, if a certificate is not included in the CRL, the Online Responder service assumes that the certificate is valid and returns a value of GOOD.

Resolution


To resolve this issue in Windows 8.1 or Windows Server 2012 R2, install update 2967917. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2967917 July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

To resolve this issue in Windows 7 or Windows Server 2008 R2, install the hotfix that is described in the "Hotfix information" section in this article.

Before you install this hotfix, you must configure the OCSP service to read serial numbers that are issued by the Certificate Authority. To do this, follow the steps in this section to create a directory location in which to save the serial number files and to create registry keys that point to this directory.

Notes
  • The directory can be located on a network share or hosted on a local computer. If you set up an array configuration, we recommend that you host the directory on a network share so that all array members can have "Read" access to it.
  • Regardless of where the directory is located, make sure that the OCSP service has the Read permission to the directory. The registry settings will not apply to any Microsoft Online Responders that are not patched by this hotfix.

Configure the OCSP service

Run the following steps on the Certificate Authority computer for which you have configured the OCSP service.

Step 1: Directory structure

  1. Start Notepad, and then paste the following sample script into a new document:

    param(
    [ValidateScript({Test-Path $_})]
    [String] $Path
    )
    pushd $Path
    dir | foreach {
    remove-item $_ -force
    }
    certutil.exe -out serialnumber -restrict "Disposition = 20" -view | foreach {
    if($_ -match 'Serial Number: "([^"]+)"') {
    New-Item -type File $matches[1] | out-null
    }
    }
    popd
  2. Save the new document as Certs.ps1.
  3. Create a directory in which empty files that correspond to all issued serial numbers are to be stored.
  4. Run the Certs.ps1 script. To do this, run the following command in Windows PowerShell:

    Certs.ps1 <directory location created in step 3>
  5. Examine the directory that you created in step 3 to make sure that the files correspond to the issued serial numbers.

    Note If you have multiple CAs hosted in your environment, make sure that their corresponding serial number directories are different. Do not share the same directory between different CAs.
  6. Run the script on the CA computer, and upload the saved file by giving it restrictive ACLs. The file should not be editable. Make sure that all the Microsoft Online Responder computers can access this location.
More information about this procedure
Microsoft Online Responder returns a value of UNKNOWN for all certificates that are issued but not yet in the file that is created in step 6. This script must be run at a regular interval and refreshed in order for Microsoft Online Responder to provide an up-to-date status. This interval setting will depend on your specific deployment environment. We recommend that you select a suitable interval anywhere from four hours to the value of the Next CRL publishing date.

Step 2: Registry

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Exit all Windows applications.
  2. Click Start, click Run, type regedit, and then click OK.
  3. Locate and then select the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OcspSvc\Responder
  4. Click the certification authority (CA) for which you created the directory structure.
  5. Right-click Provider Node, point to New, and then click Multi-String Value.
  6. Type IssuedSerialNumbersDirectories, and then press Enter.
  7. Right-click IssuedSerialNumbersDirectories, and then click Modify.
  8. In the Value data box, type the path to the directory you created in step 3 of the directory structure procedure and that contains the issued serial numbers, and then click OK.

    For the directory path, use the following format:


    \\<computername>\<directorylocation>
    For example, use a path that resembles the following:


    \\contoso-ocspfileserver\SerialNumbers
  9. On the File menu, click Exit to exit Registry Editor.
  10. Install the hotfix package that is mentioned in this article.
After you follow the “Directory structure” and “Registry” steps, install the hotfix package that is mentioned in this article.

Results

After the hotfix is installed, the Online Responder service should do the following:
  • Return a value of GOOD for the certificates that are verified
  • Return a value of REVOKED for the certificates that are included in the CRL
  • Return a value of UNKNOWN for all other certificates that cannot be verified

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Service Pack 1 for Windows 7 or Windows Server 2008 R2 installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any previously released hotfix.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


This hotfix provides a design change that makes the Microsoft OCSP Responder aware of all certificates about which the following is true:
  • They are issued by the CA.
  • They are not revoked.
  • They are currently in their own validity period.

References


Learn about the terminology that Microsoft uses to describe software updates.