question

IulianAciobanitei-6779 avatar image
0 Votes"
IulianAciobanitei-6779 asked DaisyZhou-MSFT commented

OCSP Responder cannot find Keyset

Hi,

I am trying to configure an OCSP Responder on Windows Server 2016.
I managed to installed the OCSP Reponder role and the Revocation Configuration.

For the signing certificate, I created a CSR with certreq -New, signed it with an external CA and then used certreq -Accept to bind the cert to the private key.
When I assign the certificate to the Revocation Configuration, I receive the following error: Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)

If I use certutil -store my, I can see Signature test passed:

Serial Number: 6cdfdcd3ea7249059a930839
NotBefore: 15.07.2021 20:43
NotAfter: 15.07.2022 20:43
Subject: CN=***, C=RO
Non-root Certificate
Cert Hash(sha1): b700bb78841fdbf04201e8993a1ee78c3d99fd6f
Key Container = 3232281044959491735dbcae07eee658_b35742b4-3738-426e-b437-1650b03eb56b
Simple container name: tq-c437bd7f-a979-4b22-9c78-ca6c2e9d9ac3
Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.
Also, In the Machine Key Store, I can see the certificate with the message: "You have a private key that corresponds to this certificate".

I also tried to create the key pair (certreq cmd) using another provider: Microsoft Enhanced Cryptographic Provider v1.0, but I received the same error.

Does anyone have any idea why I am facing this problem?

windows-server-2016
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @IulianAciobanitei-6779,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @IulianAciobanitei-6779,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @IulianAciobanitei-6779,

Thank you for posting here.

What is the external CA you mentioned? Do you have Windows CA server?

Please check if CA service starts.
115336-ca1.png

If CA service start and run normally.

Please run certutil -v -verifykeys to check if there is the same error message.

Maybe you will see "missing stored keyset" in the outputs.

Certutil -v -store my will tell you further if the CA keys are stored in software based csp/ksp or on HSM.


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.





ca1.png (15.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.