Microsoft Active Directory Certificate Services - Error Messages

[Guest Tier 3 Support]

Two issues:

 

1. Under Enterprise PKI, the server shows "DeltaCRL Location #2" and "CDP

Location #2" as Expired. All other locations show OK. Is there any way I

can manually force the PKI to update/renew these CRLs?

 

 

2. After installing ADCS Online Responder, I receive the following error

message:

"Bad signing certificate on Array controller"

 

Operating System

Windows Server 2008 SP1 (64-bit)

 

Roles

Active Directory Certificate Services

Active Directory Domain Services

DNS

DHCP

IIS

 

This server is an Enterprise Root CA and also runs the Online Responder.

 

 

--------Reply Note--------

Please reply either directly to this post or to it-tier3@visionnet.us

[Guest Tier 3 Support]

UPDATE: Microsoft Active Directory Certificate Services - Error Messages

 

STATUS: Issue 1: Unresolved

Issue 2: Resolved

 

UPDATE to "Bad signing certificate on Array controller"

This problem was resolved by:

Adding the OCSP machine account to the "OCSP Signing Certificate"

template with rights "Full Control".

It is presumed that adding only "Read", "Enroll", and "Auto-Enroll" will

be sufficient. "Full Control" was considered an acceptable solution solely

because the hosting machine is also the Enterprise Root CA.

 

 

"Tier 3 Support" <it-tier3@visionnet.us> wrote in message

news:eWXILSS4IHA.1196@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Two issues:

>

> 1. Under Enterprise PKI, the server shows "DeltaCRL Location #2" and

> "CDP Location #2" as Expired. All other locations show OK. Is there any

> way I can manually force the PKI to update/renew these CRLs?

>

>

> 2. After installing ADCS Online Responder, I receive the following

> error message:

> "Bad signing certificate on Array controller"

>

> Operating System

> Windows Server 2008 SP1 (64-bit)

>

> Roles

> Active Directory Certificate Services

> Active Directory Domain Services

> DNS

> DHCP

> IIS

>

> This server is an Enterprise Root CA and also runs the Online Responder.

>

>

> --------Reply Note--------

> Please reply either directly to this post or to it-tier3@visionnet.us

>

> </span>

[Guest Brian Komar \(MVP\)]

Inline...

 

"Tier 3 Support" <it-tier3@visionnet.us> wrote in message

news:eWXILSS4IHA.1196@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Two issues:

>

> 1. Under Enterprise PKI, the server shows "DeltaCRL Location #2" and

> "CDP Location #2" as Expired. All other locations show OK. Is there any

> way I can manually force the PKI to update/renew these CRLs?

></span>

 

How many CAs in the CA hierarchy?

What protocol is referenced in the failed locations

What protocols are you using to transfer the Base and delta CRL to these

locations.

You probably need a scheduled tasks or something else to copy the files at

regular intervals.

 

<span style="color:blue">

>

> 2. After installing ADCS Online Responder, I receive the following

> error message:

> "Bad signing certificate on Array controller"</span>

 

More information is needed. What certificate was deployed as the OCSP

signing certificate for example?

 

<span style="color:blue">

>

> Operating System

> Windows Server 2008 SP1 (64-bit)

>

> Roles

> Active Directory Certificate Services

> Active Directory Domain Services

> DNS

> DHCP

> IIS

>

> This server is an Enterprise Root CA and also runs the Online Responder.

>

>

> --------Reply Note--------

> Please reply either directly to this post or to it-tier3@visionnet.us

>

> </span>