Event ID - 27

Event Id27
SourceMicrosoft-Windows-OnlineResponder
DescriptionOnline Responder Services: For configuration %1, the signing certificate was not updated.(%2)
Event InformationAccording to Microsoft :
Cause :
This event is logged when the signing certificate was not updated.
Resolution :
Request a signing certificate for an Online Responder
To resolve this problem:
Follow the procedure in the "Renew the signing certificate for an Online Responder" section.
If necessary, enable the renewal of the OCSP Response Signing certificate with an existing key by following the procedure in the "Enable the renewal of OCSP Response Signing certificates by using existing CA keys" section.
To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.
Renew the signing certificate for an Online Responder
To renew the signing certificate for an Online Responder:
1.Click Start, type mmc, and then press ENTER.
2.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3.On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
4.Click Computer account, and click Next.
5.Select the computer hosting the Online Responder, click Finish, and then click OK.
6.In the console tree, double-click Certificates, and then double-click Personal.
7.In the details pane, right-click Certificates, point to All Tasks, and click Renew Certificate with New Key to start the Certificate Renewal Wizard.
8.Complete the steps in the wizard.
Enable the renewal of OCSP Response Signing certificates by using existing CA keys
To allow the renewal of OCSP Response Signing certificates by using existing CA keys:
1.On the CA computer, open a command prompt window.
2.Type certutil -setreg ca\UseDefinedCACertInRequest and press ENTER.
3.Restart the CA service.
Verify
An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:
Issue new certificates.
Revoke a certificate.
Publish a CRL.
Remove CRL distribution point extensions from the issuing CA.
Confirm that client computers can still obtain revocation data.
To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.
Issue new certificates
To issue new certificates:
1.On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
2.Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
3.When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.
4.On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.
Revoke a certificate
To revoke a certificate:
1.On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
2.In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
3.On the Action menu, point to All Tasks, and then click Revoke Certificate.
4.Select the reason for revoking the certificate, and click Yes
Publish a CRL
To publish a CRL:
1.On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
2.In the console tree, click Revoked Certificates.
3.On the Action menu, point to All Tasks, and then click Publish.
Remove all CRL distribution point extensions from the issuing CA
To remove all CRL distribution point extensions from the issuing CA:
1.On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
2.Select the CA.
3.On the Action menu, click Properties.
4.On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
5.Click any CRL distribution points that are listed, click Remove, and click OK.
6.Stop and restart the CA.
7.Configure a new certificate template, and complete autoenrollment again.
Confirm that client computers can obtain revocation data
To confirm that client computers can obtain revocation data:
1.Click Startmmc, and then press ENTER.
2.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3.On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
4.Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
5.Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
6.Open a command prompt window.
7.Type certutil -url and press ENTER.
8.In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.
Reference LinksEvent ID 27 from Source Microsoft-Windows-OnlineResponder

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.