Udostępnij za pośrednictwem


For configuration , Online Responder revocation provider either has no CRL information or has stale CRL information

This is typically related to the CRL's of the issuing CA or Root CA having expired in their current CDP location.

To resolve it check that all CA's are able to publish base CRL's and Delta CRL's to the locations defined on the OCSP Responders cert for that configuration.

Another scenario is if a CA in the chain has had its certificate renewed with a new keypair and the CDP is hardcoded to a specific name rather than the variables used by the CA.  In that case the new CRL will be signed by a different keypair than the CRL that is associated with the OCSP responder cert.  To resolve it the quickest method is typically to enroll for a new OCSP responder cert from the CA as that will use the new keys for the CRL.

Further details

Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder)
http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/Installing_Configuring_and_Troubleshooting_the_Online_Responder.doc

Troubleshooting Certificate Status and Revocation
http://technet.microsoft.com/en-us/library/cc700843.aspx