Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,665 questions
Online Responder (OCSP) request with hashAlgorithm SHA256, response unauthorized (6)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 7.000000000000001%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Christophe_M
40
Reputation points
Hi!
We faced with the problem of OCSP role on Windows Server 2019 (I also tried to rise the same role on our test Windows Server 2025 with the same result). We started updating our old Cisco devices to a new firmware and our remote vpn spokes lost their connections to HQ HUBs. I made some investigation and found in the logs of our hubs:
Feb 4 16:12:20.979: OCSP: (93333)OCSP Parse HTTP Response command
*Feb 4 16:12:20.979: OCSP: (93333)OCSP Validate DER Response command
*Feb 4 16:12:20.980: CRYPTO_PKI: OCSP response status - unauthorized.
*Feb 4 2025 19:12:20.980: %PKI-3-OCSP_RESPONSE_STATUS: OCSP response status failed
Reason : unauthorized.
*Feb 4 16:12:20.980: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(4241) : E_NOT_AUTHORIZED : not authorized/identified to use service
*Feb 4 16:12:20.980: ../cert-c/source/asn1pub.c(283) : E_INVALID_PARAMETER : invalid function parameter (inputBER)
*Feb 4 16:12:20.980: CRYPTO_PKI: failed to decode OCSP response.
*Feb 4 16:12:20.980: CRYPTO_PKI: OCSP Error 0 - marking revocation status as UNKNOWN
*Feb 4 16:12:20.980: CRYPTO_PKI: (93333) OCSP revocation check is complete 0
*Feb 4 16:12:20.980: OCSP: destroying OCSP trans element
*Feb 4 16:12:20.980: PKI_REVO: Got a queue event - revocation process:Cert status - CRYPTO_INVALID_CERT
*Feb 4 2025 19:12:20.980: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.:Certificate chain validation has failed.
*Feb 4 16:12:20.980: CRYPTO_PKI: (93333)chain cert was anchored to trustpoint *****_SCEP, and chain validation result was: CRYPTO_INVALID_CERT
*Feb 4 16:12:20.980: CRYPTO_PKI: (93333) Certificate validation failed
*Feb 4 16:12:20.980: CRYPTO_PKI: (93333) Removing verify context
Ok, I checked my OCSP configuration:
It looks ok. I made network dumps from old device (not updated) and new device. I found that the only one difference: OCSP Request hashAlgorithm from Cisco device. The old is 1.3.14.3.2.26 (SHA-1) and new is 2.16.840.1.101.3.4.2.1 (sha256). Please, see the screenshots below:
Old firmware request and response:
New firmware request and response:
So, we had to move to .crl links instead of OCSP. I checked a lot of articles on the Internet but there was nothing about this issue. Maybe someone got the same problem and successfully resolved it? Should we move to OCSP server from different vendor of fix something on our Windows Severs OCSP role?
Thank you!
Sign in to answer