Collection Rule for event with source OnlineResponder and ID 18 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.OCSPEvents.18
  • Description:  The Online Responder service was stopped
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Causes
This rule does not contain any causes.
Resolutions

Ensure that the delta CRL version matches the base CRL version

A delta certificate revocation list (CRL) can only be used with a corresponding base CRL. To ensure that the delta CRL version matches the base CRL vesion:

  • Check for CRL publishing errors on the certification authority (CA).

  • Republish base and delta CRLs.

  • Check and update local CRLs on the Online Responder computer.

  • Refresh and update revocation information on the Online Responder.

  • Confirm that the configured CRL distribution points on the CA and Online Responder use the same location.

  • Update revocation information.

  • If the problem persists, use CryptoAPI 2.0 Diagnostics to obtain additional information about the problem.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Check for CRL publishing errors on the CA

To check for CRL publishing errors on the CA:

  • On the CA, click Start, point to Administrative Tools, and click Event Viewer.

  • Check for additional errors or warnings related to CRL publishing. For more information, see http://go.microsoft.com/fwlink/?LinkId=102985.

  • Resolve any problems identified, and republish both the base and delta CRLs.

Republish base and delta CRLs

To republish base and delta CRLs:

  • Open a command prompt window on the CA.

  • Type certutil -crl and press ENTER.

  • Confirm that no further errors or events are logged.

Check and update local CRLs on the Online Responder computer

To ensure that current base and delta CRLs are available on the Online Responder:

  • On the computer hosting the Online Responder, click Start, type mmc, and then press ENTER.

  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  • On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  • Click Service account, and click Next.

  • In Select Service, click Online Responder Service, click Finish, and then click OK. 

  • Select the Certificate Revocation List folder for either the Intermediate Certification Authorities or Trusted Root Certification Authorities containers, depending on the type of CA that supports the Online Responder service.

  • Check the BaseCRLNumber specified in the delta CRL indicator extension of the delta CRL.  This number should reference the version number of a published base CRL. 

  • If this number does not match the version number of a published base CRL, republish both the base and delta CRLs by opening a command prompt window on the CA and running the following command: certutil -crl.

  • Retrieve updated CRL data on the Online Responder. To do this, restart the Online Responder service on each Array member or right-click Array configuration in the Online Responder snap-in, and click Refresh Revocation Data. Then confirm that the base and delta CRL version numbers match.

Confirm that the configured CRL distribution points on the CA and Online Responder use the same location

To confirm that the configured CRL distribution points on the CA and Online Responder use the same location:

  • On the Online Responder, click Start, point to Administrative Tools, and click Online Responder.

  • In the console tree, select the revocation configuration node. 

  • In the details pane, right-click the revocation configuration specified in the event description, and click Edit Properties.

  • Click the Revocation Provider tab, and click Provider. Note the URLs configured in Base CRLs and Delta CRLs. 

  • Confirm that the Online Responder computer can access these locations.

  • Open the Certification Authority snap-in, right-click the name of the CA, and click Properties.

  • On the Extensions tab, select the CRL Distribution Point extension, note the URLs that are listed, and confirm that the URLs on the two computers use the same location.

Update revocation information

You can update revocation information by retrieving an updated CRL. An updated CRL can be retrieved by:

  • Using the Services snap-in console to restart the Online Responder service

  • Using the Online Responder snap-in to refresh revocation data and confirming that the error does not appear

To update revocation information for an Online Responder by using the Services snap-in console:

  • On the Online Responder, click Start, point to Administrative Tools, and click Services.

  • Click Online Responder Services, and click Restart.

To update revocation information for an Online Responder by using the Online Responder snap-in:

  • On the computer hosting the Online Responder, click Start, point to Administrative Tools, and click Online Responder.

  • Right-click Array Configuration, and click Refresh Revocation Data.

  • Confirm that no additional errors are reported.

  • Click the Online Responder node, and confirm that the revocation configuration is listed as Working.

  • Under Array Configuration, select the Online Responder computer that logged the error, and then click the revocation configuration named in the error.

  • Under the details pane, view the Revocation Configuration Status pane for the status of the signing certificate and the revocation provider.

  • Confirm that no additional errors are reported.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

  • On the Online Responder, click Start, point to Administrative Tools, and click Event Viewer.

  • In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.

  • Right-click Operational, and click Enable Log.

  • Click Start, point to Administrative Tools, and click Services.

  • Right-click Active Directory Certificate Services, and click Restart.

Depending on the results from the procedures above and enabling CryptoAPI 2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the Online Responder service. 

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED