Changing the storage engine, which only happens as part of FCBIS, takes the StorageChangeLock, which blocks OperationContexts from being created. But as part of the storage engine change, if encryption-at-rest is enabled, the newly created storage engine needs the master encryption key for the encrypted database. If KMIP is set up, the storage engine will attempt to fetch the encryption key from the KMIP server. If in addition, OCSP is enabled and the client certificate used to connect to the KMIP server has an OCSP URI, OCSP verification will be run to check that the certificate sent by the KMIP server is valid. However, the way that this work is scheduled will currently try to create an OperationContext before proceeding to this validation. Therefore, this combination of FCBIS + ESE + KMIP + OCSP will deadlock.

The ReadThroughCache is the one that creates OpCtxs. Instead of using a RTC for OCSP, we will instead remove the RTC and use a normal LRU cache in front of our OCSP fetch mechanism.