Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
If you see a red ‘X’ in the Enterprise PKI MMC when verifying the status of the OCSP Responder you need to look closer at details such as the AIA and CDP extensions that are defined on the Issuing CA and compare these with the AIA and CDP extensions that are present in the CA Exchange certificate the OCSP Responder is using.
Minor details such as an incorrect AIA path will cause PKIVIEW to pop up the dreaded ‘X’ even if the actual functionality of the OCSP is not severely affected.
If the original AIA path that was used when the OCSP Responder was added has been changed in the extensions on the CA server you may need to revoke the current CA Exchange certificate used by the OCSP Responder, delete the existing OCSP connection and set it up again (Which should typically cause the CA to enroll for a new CA Exchange certificate if no valid CA Exchange certificate is present).
Active Directory Certificate Services Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
Certificate Templates Overview http://technet.microsoft.com/en-us/library/cc730826(WS.10).aspx