Event ID - 26

Event Id26
SourceMicrosoft-Windows-OnlineResponder
DescriptionOnline Responder Service: For configuration %1, the signing certificate has expired. Any OCSP request for this configuration will be rejected.
Event InformationAccording to Microsoft :
Cause :
This event is logged when the signing certificate has expired.
Resolution :
Renew the expired signing certificate for an Online Responder
If a signing certificate for an Online Responder expires, complete the procedure in the "Renew an OCSP Response Signing Certificate" section.
If the certificate renewal process fails, take the following actions:
  • Confirm that a CA is accessible.
  • Confirm certificate template permissions.
  • Confirm that the OCSP Response Signing certificate template is available for use by the CA.
If renewal of the OCSP Response Signing certificate is successful but the certificate cannot be used by the Online Responder service, use the procedure in the "Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE" section.
  • Finally, to minimize the likelihood that this event will recur, you may also want to lengthen the certificate renewal reminder period by using the procedure in the "Modify the certificate renewal reminder period" section.
  • To perform these procedures, must have membership in local Administrators or must have been delegated the appropriate authority.
    Renew an OCSP Response Signing certificate
    To renew an OCSP Response Signing certificate:
    1. Click Start, type mmc, and then press ENTER.
    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
    4. Click Computer account, and click Next.
    5. Select the computer hosting the CA, click Finish, and then click OK.
    6. In the console tree, double-click Certificates, and then double-click Personal.
    7. Right-click Certificates, point to All Tasks, and click Renew Certificate with New Key to start the Certificate Renewal Wizard.
    8. Use the wizard to complete the enrollment process.
    Note : The previous procedure assumes that the OCSP Response Signing certificate was configured for manual enrollment and renewal. If the OCSP Response Signing certificate template was configured for autoenrollment and renewal, you can use the same procedure but open the Certificates snap-in for the Online Responder service account rather than the computer account.
    Confirm that a CA is accessible
    To confirm that a CA is accessible by a client:
    1. Open a command prompt window.
    2. Type certutil -ping -config%ltcomputer\user%gt and press ENTER.
    Note : If you use -config -, the operation is processed by using the default CA.You must specify the computer or user with permission to enroll for certificates from the CA when you use the -config option. Otherwise, the Select Certification Authority dialog box appears and displays a list of all CAs that are available.
    Confirm certificate template permissions
    To confirm that the the computer on which the Online Responder has been installed has Read and Enroll permissions on the OCSP Response Signing certificate template:
    1. On the computer hosting the CA, click Start, type certtmpl.msc, and press ENTER to open the Certificate Templates snap-in.
    2. Right-click the OCSP Response Signing certificate template, and then click Properties.
    3. Click the Security tab to confirm that the computer hosting the Online Responder has Read and Enroll permissions.
    Confirm that a certificate template is available to a CA
    To publish a certificate template:
    1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
    2. In the console tree, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
    3. Select the certificate template, and click OK.
    Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE
    To ensure that the private key for the OCSP Response Signing certificate is accessible to NETWORK SERVICE:
    1. Click Start, type mmc, and then press ENTER.
    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
    4. Click Computer account, and click Next.
    5. Select the computer hosting the Online Responder, click Finish, and then click OK.
    6. In the console tree, double-click Certificates, double-click Personal, and click Certificates.
    7. In the details pane, click OCSP Response Signing.
    8. On the Actions menu, point to All Tasks, and click Manage Private Keys.
    9. Click Add, type NETWORK SERVICE, and then click OK.
    10. Ensure that only the Read permission is allowed for NETWORK SERVICE, and then click OK.
    11. Restart the Online Responder service.
    If the OCSP Response Signing certificate is not valid for signature purposes, enroll for a certificate that includes the id-kp-OCSPSigning Extended Key Usage (EKU), labeled OCSP Signing (1.3.6.1.5.5.7.3.9).
    Modify the certificate renewal reminder period
    To modify the certificate renewal reminder period:
    Caution : Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
    1. Click Start, type regedit, and then press ENTER.
    2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder\
    3. Add a DWORD registry key named ReminderDuration under this root.
    4. Enter a value between 1 and 100 to indicate the desired percentage.
    5. Stop and restart the Online Responder service to implement the new renewal reminder value.
    Note : The reminder duration is an Online Responder-wide property, expressed as a percentage of the certificate lifetime. The default value is 90 percent of the certificate lifetime, but this value can be modified in the registry.
  • Reference LinksEvent ID 26 from Source Microsoft-Windows-OnlineResponder

    Catch threats immediately

    We work side-by-side with you to rapidly detect cyberthreats
    and thwart attacks before they cause damage.

    See what we caught

    Did this information help you to resolve the problem?

    Yes: My problem was resolved.
    No: The information was not helpful / Partially helpful.