Assume the following scenario:
- An online responder (OCSP) is configured on the network.
- OCSP is enabled for a certificate authority and a revocation configuration is set up.
- The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider. The revocation provider failed with the current configuration. The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND), 0x800710d8
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
In the event log, the events no. 16 and 17 of the source Microsoft-Windows-OnlineResponderRevocationProvider is logged.
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Occurs when the blacklist address configured in the blacklist configuration is not available. The web server providing the blacklist will report HTTP error 404 (Not Found).
In most cases, the configuration for revocation list publication on the certification authority should be checked. If there are script-based jobs for transferring the revocation lists to the web servers, these should be checked for correct functioning.
After the error has been corrected, the revocation configuration should be reloaded.
Per Windows PowerShell the reloading of the revocation configurations can be done with the following code:
$OcspAdmin = New-Object -ComObject "CertAdm.OCSPAdmin" $OcspAdmin.GetConfiguration( $env:ComputerName, $True ) $OcspAdmin.OCSPCAConfigurationCollection | ForEach-Object { $_.HashAlgorithm = $_.HashAlgorithm } $OcspAdmin.SetConfiguration( $env:ComputerName, $True )