Lock check via online responder (OCSP) fails with HTTP error code 404 (HTTP_E_STATUS_NOT_FOUND)

Assume the following scenario:

• After installing an online responder (OCSP), setting up a revocation configuration and adjusting the certification authority or Configuring a group policy that forces clients to use the online responder, falls at the Function test that this nevertheless does not work.
• The OCSP address check reports HTTP status 404 (not found).

The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.

The management console for the Enterprise PKI (pkiview.msc) displays the status "Error".

More precisely, you can check the status by exporting any valid certificate as a file and performing a check via command line:

certutil -verify -urlfetch {filename-certificate}.cer

Checking the Default Web Site in the Internet Information Services Manager shows that the required virtual folder "ocsp" does not exist.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The virtual folder can be created with the following command line command:

certutil -voscproot

The setting is effective without restarting the Web Server service.

Please note that the enterprise PKI management console will still display an error because the previous negative response is cached client-side. To clear this cache, see the article "View and clear the revocation list address cache (CRL URL Cache).„.

Related links:

• Force domain controller (or other participants) to use an online responder (OCSP)
• Perform functional test for an online responder (OCSP)
• View and clear the revocation list address cache (CRL URL Cache).