Forum Discussion
NimbostratusFailed to initialize OCSP Auth Module
EmployeeOkay, I was able to put this together in my lab and came across some interesting findings.
-
The Microsoft OCSP defaults to http://[ServerDNSName]/ocsp - there's probably a way to change that, but it isn't the most intuitive thing in the world, so I'd imagine that "/ocsp" would be the defacto URI for most MS OCSP deployments.
-
Despite setting the "Enable NONCE extension support" option in the revocation configuration settings, the OpenSSL ocsp call wasn't working unless I specifically disabled nonce using the "-no_nonce" option. This equates to unchecking the Nonce option in the APM OCSP AAA configuration. I also checked "Ignore AIA" here. It's not expressly required, but since you're trying to validate all certificates to a local responder, the last thing you need is a certificate with an incorrect AIA.
-
The only other option that was of any value in the OCSP AAA was the Certificate Authority File, which in my case was the single CA and issuer of local user certs. This could be a bundle if in a multi-level CA structure.
-
Here is the command line I used to test MS OCSP (modify as required):
openssl ocsp -issuer ocsptest-ca-mydomain-com.cer -cert ocsptest-bob-2.cer -url http://10.80.0.200/ocsp -CAfile ocsptest-ca-mydomain-com.cer -no_nonceIf you cannot get this command line to work, I'd suggest that the fault probably lies in the OCSP configuration. I relied heavily on the following article series to make sure my MS OCSP was configured correctly:
- Implementing an OCSP responder: Part I Introducing OCSP
- Implementing an OCSP responder: Part II Preparing Certificate Authorities
- Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
- Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs
- Implementing an OCSP Responder: Part V High Availability
- Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy
