Troubleshooting

Use the following table to troubleshoot the error messages shown.

Problem Cause Resolution

Problem	Cause	Resolution
Online Responder reports Bad Signing Certificate on Array Controller.	This error shows that the OCSP Signing key or certificate cannot be used by the Responder.	Ensure that the steps above have been correctly carried out. Also, ensure that the CA is correctly configured and that a valid CA certificate exists for OCSP Signing.
Using `certutil -url <certnamehere.cer>` and selecting Certs (from AIA) shows an entry in the list called AIA with Failed next to it.	This error shows that there is a problem with the certificate location.	Check the suggested location to ensure that the CA certificate is both published and named correctly as per the URI specified in the AIA field.
Using the `certreq -new <.req file here>` command returns an Invalid Provider Specified error.	This error occurs when the CSPs are not installed and set up on the client machine or not set up correctly.	Ensure that the nCipher CAPI CSP and nCipher CNG CSP providers are correctly installed and set. (Do this by running the CSP Install Wizard and CNG Configuration Wizard under nCipher in the Start menu).
When using the CAPI or CNG wizard to access a private key protected by an OCS with password, you are prompted multiple times to enter the password.	This error is due to a problem in Windows Server 2012.	Contact Microsoft.
When presenting a Java card OCS (V12 onwards only), the AD CS Configuration Wizard does not detect the OCS. `cardpp --examine` shows TokenSecureChannelError.	TokenSecureChannelError can occasionally be seen when presenting a Java card OCS.	Remove and re-insert the OCS until it is picked up by `cardpp` and the AD CS Configuration Wizard.

Online Responder reports Bad Signing Certificate on Array Controller.

This error shows that the OCSP Signing key or certificate cannot be used by the Responder.

Ensure that the steps above have been correctly carried out. Also, ensure that the CA is correctly configured and that a valid CA certificate exists for OCSP Signing.

Using

certutil -url <certnamehere.cer>

and selecting Certs (from AIA) shows an entry in the list called AIA with Failed next to it.

This error shows that there is a problem with the certificate location.

Check the suggested location to ensure that the CA certificate is both published and named correctly as per the URI specified in the AIA field.

Using the certreq -new <.req file here> command returns an Invalid Provider Specified error.

This error occurs when the CSPs are not installed and set up on the client machine or not set up correctly.

Ensure that the nCipher CAPI CSP and nCipher CNG CSP providers are correctly installed and set. (Do this by running the CSP Install Wizard and CNG Configuration Wizard under nCipher in the Start menu).

When using the CAPI or CNG wizard to access a private key protected by an OCS with password, you are prompted multiple times to enter the password.

This error is due to a problem in Windows Server 2012.

Contact Microsoft.

When presenting a Java card OCS (V12 onwards only), the AD CS Configuration Wizard does not detect the OCS. cardpp --examine shows TokenSecureChannelError.

TokenSecureChannelError can occasionally be seen when presenting a Java card OCS.

Remove and re-insert the OCS until it is picked up by cardpp and the AD CS Configuration Wizard.