logo-ms-ws08-v

If you see a red ‘X’ in the Enterprise PKI MMC when verifying the status of the OCSP Responder you need to look closer at details such as the AIA and CDP extensions that are defined on the Issuing CA and compare these with the AIA and CDP extensions that are present in the CA Exchange certificate the OCSP Responder is using.

Minor details such as an incorrect AIA path will cause PKIVIEW to pop up the dreaded ‘X’ even if the actual functionality of the OCSP is not severely affected.

If the original AIA path that was used when the OCSP Responder was added has been changed in the extensions on the CA server you may need to revoke the current CA Exchange certificate used by the OCSP Responder, delete the existing OCSP connection and set it up again (Which should typically cause the CA to enroll for a new CA Exchange certificate if no valid CA Exchange certificate is present).

 

Further details:

Active Directory Certificate Services Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

Certificate Templates Overview
http://technet.microsoft.com/en-us/library/cc730826(WS.10).aspx