Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Microsoft Online Certificate Status Protocol (OCSP)

Troubleshooting

search

Troubleshooting

This section describes errors that may occur while attempting to integrate OCSP with a ProtectServer 3 HSM.

'Bad Signing Certificate on Array Controller'

Online Responder reports “Bad Signing Certificate on Array Controller”.

Cause

This error displays when the CA certificate cannot be located by the Online Responder client

Solution

Ensure that the points mentioned in the Create Revocation Configuration have been correctly carried out. Verify that the CA is correctly configured and that a valid CA certificate Exists for OCSP Signing.

‘Failed’ next to AIA entry in URL retrieval tool

Using certutil –url <certnamehere.cer> and selecting Certs (from AIA) shows an entry in the list called AIA with “Failed” next to it.

Cause

This error displays when Certificate Authority Web Enrollment is not installed on the CA.

Solution

Install Certificate Authority Web Enrollment on the CA machine.

Note

AIA failing does not adversely impact the OCSP setup. As long as both items in the Certs (from AIA) do not fail, there should not be a problem with the setup.

Unrecognized/Untrusted certificate authority

When viewing a newly generated certificate from the CA it is reported as untrusted.

Cause

This error displays when the CA has not been added to the Trusted Root Certification Authorities certificate store.

Solution

  1. Double-click the newly generated certificate.

  2. Under the General tab, select Install Certificate….

  3. On the first screen that is displayed select Next

  4. Select the radio button next to Place all certificates in the following store and select Browse.

  5. In the Select Certificate Store window that is displayed, select Trusted Root Certification Authorities and select OK.

  6. When the window disappears select Next and on the next window select Finish.

‘Invalid Provider Specified’ error

Using the certreq –new <.req file here> command throws an Invalid Provider Specified error.

Cause

This error displays when the CSPs are not installed and set up on the client machine not set up correctly.

Solution

Ensure that the SafeNet CNG provider is correctly installed and set up. (To overcome this issue, execute the CNG Configuration Wizard under the ProtectToolkit installation folder) or you can use Microsoft Cryptographic Service Provider or any other service provider that is registered on the client machine.

On this page