I've got the similar issue as in this thread: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/86c46217-fa7a-456b-9fc7-c0e9cdfdf904 I see OCSP error in the PKIview. I checked OCSP configuration and found, that OCSP certificate is expired. Valid period for this certificate is 2 weeks. Responder is located on the internal server, but published with another name (pki.company.com). I duplicated OCSP template by this guide: http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx#BKMK_AS3 Since I need custom CN in the OCSP signing certificate (my CN/DNS in SAN should be pki.company.com), I changed template and chose "Supply in the request". I.e. I should manually provide CN/DNS in the request. Autoenroll will not work for this template. I didn't change valid period, it's 2 weeks by default. My questions: 1. Is there any reason to have 2 weeks valid period for OCSP signing certificate ? If I will change that to 2 years, it will fix my issue. 2. Can I create OCSP template with specific CN/SAN DNS ? How to do it ? I need autoenrollment for this template because certificate should be renewed every 2 weeks. Thanks

actually subject of OCSP Signing certificate is not required to be the same as OCSP responder URL. So you can use standard reenrollment for OCSP.http://en-us.sysadmins.lv

The issue was with IIS configuration.