Hello
Can someone please help me with the following question.
In my LAB I have setup the following (MSDB subscription)
Windows 2003 R2 Active Directory (Forest and Domain at "Windows Server 2003" level)
2012 R2 offline Root CA (published the ROOT CA certificate to member server "LocalMachine/Trusted Root Certification Authorities" store via GPO as could not recall the certutil command to publish to directory services)
2012 R2 online enterprise issuing CA (works fine)
Setup OCSP on a separate server following a number of article
Templates To Issue > OCSP Response Singing
Gave the OCPS Server "Read", "Enrol" (some confusion in various articles about also assigning Auto Enrol permission but I did not)
Gave Network Service account same permissions as above
Configured AIA extension on issuing CA for http://OCSPServer1/ocsp
opened the OCSP MMC and configured Revocation Configuration called MyConfig, choose the issuing CA cert by browsing AD The wizard picked up the CA and the Template no problem and the wizard automatically selected the check box to Auto Enrol
etc..
However I get the following message at the end of the wizard "Bad singing certificate on array controller" and under array controller section certificate status says "Signing Certificate: Not Found"
Check MMC > Certificates > Services > OCSPSvc\_MyConfig_ no certificate present
At issuing CA > Certificate Authority > Issued Certificates no OCSP signing certificate issued.
Do I need to public the ROOT CA Cert to AD too rather than pushing to LocalMachine\Trusted Root Certification Authorities via GPO?
I have also tried giving the OCSP Server and Network Service 'Auto Enrol" rights on the template but no difference.
What I would like to also know please is, what triggers the "enrolment" for the OCSP cert, is this when you complete the OCSP Revocation Configuration wizard? and does the OCSPSvc then re-enrol for another cert in two weeks, even without auto enrol configuration on the template?
Thanks very much in advance
AAnotherUser__
AAnotherUser__