TL;DR; How to discover what is wrong with OCSP response on Windows?
I am trying to install a new certificate in on-premises Exchange Server 2019. But Exchange always reports that the new certificate fails the revocation check and will not use it. The new certificate has a chain of trust from the new cert, through an intermediate CA to my root ca. When I open the new cert in certmgr.msc, I see that that chain, and all certificates are reported as OK in certmgr. I have installed my root CA into the “Trusted Root Certification Authorities” store. I have installed the intermediate CA into the “Intermediate Certification Authorities” store.
The new cert’s Authority Info Access URL specifies my own OCSP responder. I know this is not a connection nor proxy problem, because I watch the OCSP logs real-time, and I know the connection is made, and my OCSP responder sends cert “OK”. I have tested with openssl-ocsp on a linux host, and that validation succeeds, when I use this openssl command:
openssl ocsp
-issuer "$ca_sub_cert_file"
-cert "$exchangeCert"
-resp_text
-CApath "$CA_ROOTS_HASHES_DIR"
-url "http://$hostNameFull:$ocsp_port/"
Please note that the above openssl command explicitly refers to the issuer, and the CApath, and that enables trust upon the intermediate CA. On Windows, I expected that installing the root-ca and the intermediate CA would similarly enable trust for the OCSP response. But I do not know how to test this.
It should not be necessary, but I also “installed” a certificate for the ocsp-responder. I allowed the wizard to choose the store automatically, and I can not find where it was put. It does not appear when I search for it in certmgr.msc. I have not installed it manually, because I do not know which store I should use.
I suspect that the response from my openssl OCSP responder is wrong for Exchange Server 2019. My theories are:
- A trust chain cannot be built from the new certificate to my root CA
- The chain is built, but one of the certificates for ocsp-responder, the intermediate-ca, or root-ca is not trusted. Even though intermediate-ca, and root-ca are installed.
- The openSSL response is incompatible with Windows and or Exchange Server 2019
How can I test the above theories? I searched the windows event logs but they do not contain any mention of OCSP or revocation.
The
certutil.exe
has a relatively new option, called-downloadocsp
which you can use to verify the OCSP responses.certs
andresults
.certs
folder. If your using OCSP to check the CA certificate too, place a copy of the CA certificate in that folder.certutil -downloadocsp certs results downloadonce
. This will create a.ocsp
file withinresults
for each response.certutil results\????.ocsp
to view each response as plaintext.The above is from Mark Cooper's brilliant website.