If it is truly an offline root CA, you should be doing more like 6 months to a year You can run certutil -setreg ca\ValidityPeriod "Years" certutil -setreg ca\ValidityPeriodUnits 1 net stop certsrv && net start certsrv If you want to go with 6 months, change to "Months" and 6 Brian

Vadims here's the output HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CompanyPolicyCA\CRLPublicationURLs: CRLPublicationURLs REG_MULTI_SZ = 0: 128:http://certs.Company.com/CertData/%3%8%9.crl CSURL_ADDTOIDP -- 80 (128) CertUtil: -getreg command completed successfully.

Wow, that is one of the worse configure settings of all time You need to run certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%3%8%9.crl\n2:://certs.Company.com/CertData/%3%8%9.crl" then net stop certsvc && net start certsvc then certutil -crl then manually copy the updated CRL from the %WINDIR%\system32\CertSrv\CertEnroll folder to the /certData folder on the certs.Company.com Web site. If there are multiple nodes on the site, you need to copy to each node. Brian

It looks like that did it! thanks for the help. I am definitely trying to get the grasp on this PKI info. I actually have one of your books Brian and it's helped alot. "Windows Server 2008 PKI and Certificate Security." Also thanks Vadims for your help as well. So I need to basically script running the certutil -crl command and copying the new CRL file to the webserver prior to the expiration date correct?

I am new to certificate authorities. I just built a 3 tier CA and everything was running well until I tried to stop and start my CA authority on my issuing CA. I get the error: --------------------------- Microsoft Active Directory Certificate Services --------------------------- The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) --------------------------- My certificate servers are all standalone CAs, not AD integrated. I investigated further and realized that my issuing and policy CAs are doing generating the same error during startup. My Root CA will stop and start without this issue. I looked at on blog telling me to run the following command based on the error: certutil –verify –urlfetch C:\filename.cer >urlfetch.txt I ran the command on my PolicyCA certificate (as I figured that needs to work prior to the Issuing one) and this is the output I got the following Issuer: CN=CompanyRootCA O=Company Corporation C=US Subject: CN=CompanyPolicyCA O=Company Corporation C=US Cert Serial Number: 610836c8000000000002 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=CompanyRootCA, O=Company Corporation, C=US NotBefore: 1/17/2012 11:29 AM NotAfter: 1/17/2022 11:39 AM Subject: CN=CompanyPolicyCA, O=Company Corporation, C=US Serial: 610836c8000000000002 Template: SubCA 56 36 fa 04 8b e9 d4 f1 de 6a da 2b 2a 37 ab 65 34 5b ab 29 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://certs.Company.com/CertData/CompanyRootCA.crt ---------------- Certificate CDP ---------------- Expired "Base CRL (01)" Time: 0 [0.0] http://certs.Company.com/CertData/CompanyRootCA.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=20 Issuer: CN=CompanyRootCA, O=Company Corporation, C=US NotBefore: 1/17/2012 10:58 AM NotAfter: 1/17/2032 11:08 AM Subject: CN=CompanyRootCA, O=Company Corporation, C=US Serial: 3fa6e572f4f613a843e652a24fa9727c 56 4a 2e ca 96 84 c5 f1 f8 17 86 fa 38 2d 44 b2 b8 e0 5e 30 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 56 36 fa 04 8b e9 d4 f1 de 6a da 2b 2a 37 ab 65 34 5b ab 29 Full chain: 83 3f ba 59 4e df 51 c8 64 ad 09 27 bd c8 ff d4 c4 4a 2a 48 Issuer: CN=CompanyRootCA, O=Company Corporation, C=US NotBefore: 1/17/2012 11:29 AM NotAfter: 1/17/2022 11:39 AM Subject: CN=CompanyPolicyCA, O=Company Corporation, C=US Serial: 610836c8000000000002 Template: SubCA 56 36 fa 04 8b e9 d4 f1 de 6a da 2b 2a 37 ab 65 34 5b ab 29 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487) ------------------------------------ Verifies against UNTRUSTED root Cert is a CA certificate ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully. After reviewing the information is looks as though the CDP file has expired. I’m not sure how to resolve this and also why should a CRL expire if the certificate has been issued from a RootCA? I’m planning on keeping that server offline. I tried to temporarily disable revocation checking and no dice. I also made sure that the webserver address was valid from each CA. I’m successfully able to download the CRL and CRT files. Any help is appreciated Referenced blogs http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

it seems that your PolicyCA don't trust your root CA. You need to add a root CA certificate to the Trusted Root CAs container on Policy CA: certutil -addstore -f RootCACert.crt Root My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I did that and I still get the revocation error. I believe my issue maybe with the CRL and AIA? Issuer: CN=companyRootCA O=company Corporation C=US Subject: CN=companyPolicyCA O=company Corporation C=US Cert Serial Number: 610836c8000000000002 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 8 Days, 23 Hours, 53 Minutes, 26 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 8 Days, 23 Hours, 53 Minutes, 26 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=companyRootCA, O=company Corporation, C=US NotBefore: 1/17/2012 11:29 AM NotAfter: 1/17/2022 11:39 AM Subject: CN=companyPolicyCA, O=company Corporation, C=US Serial: 610836c8000000000002 Template: SubCA 56 36 fa 04 8b e9 d4 f1 de 6a da 2b 2a 37 ab 65 34 5b ab 29 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://certs.company.com/CertData/companyRootCA.crt ---------------- Certificate CDP ---------------- Expired "Base CRL (01)" Time: 0 [0.0] http://certs.company.com/CertData/companyRootCA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 01: Issuer: CN=companyRootCA, O=company Corporation, C=US c1 34 32 f2 49 54 db fe ce e7 24 d4 e9 f7 0b 0c 1c 63 fa 35 CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=companyRootCA, O=company Corporation, C=US NotBefore: 1/17/2012 10:58 AM NotAfter: 1/17/2032 11:08 AM Subject: CN=companyRootCA, O=company Corporation, C=US Serial: 3fa6e572f4f613a843e652a24fa9727c 56 4a 2e ca 96 84 c5 f1 f8 17 86 fa 38 2d 44 b2 b8 e0 5e 30 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 7e 01 0f 30 dd e6 3a f4 ed bc dc 30 5c ee 7f ed 50 5f 5c 83 Full chain: a1 8f 9c c5 77 6c e2 63 c5 e7 77 ce ff aa aa ca 1c 5c 8b 0f Issuer: CN=companyRootCA, O=company Corporation, C=US NotBefore: 1/17/2012 11:29 AM NotAfter: 1/17/2022 11:39 AM Subject: CN=companyPolicyCA, O=company Corporation, C=US Serial: 610836c8000000000002 Template: SubCA 56 36 fa 04 8b e9 d4 f1 de 6a da 2b 2a 37 ab 65 34 5b ab 29 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline Cert is a CA certificate ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully.

You need to publish an updated Root CA CRL Expired "Base CRL (01)" Time: 0 [0.0] http://certs.company.com/CertData/companyRootCA.crl This is performed at the Root CA. Then you must copy the companyRootCA.crl file manually to the certs.company.com Web server(s) and copy it to the /CertData folder. Brian

Brian, I went to look at the CompanyRootCA.CRL file and it's old on the Root CA. It was created 1/17 and within the file it says the next one will be 1/24 which has already passed. It looks like the file is identical to what is in http://certs.company.com/CertData/ . is there a way to manually kick off a new CRL creation? I'm looking in c:\windows\system32\certsrv\certenroll on the RootCA.

On Thu, 26 Jan 2012 18:46:33 +0000, Jblaa wrote: ? ? ? ?I went to look at the CompanyRootCA.CRL file and it's old on the Root CA. It was created 1/17 and within the file it says the next one will be 1/24 which has already passed. It looks like the file is identical to what is in?*http://certs.company.com/CertData/ .* *??is there a way to manually kick off a new CRL creation?* On the Root CA, either through the Certification Authority console or certutil -crl. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca Computers are useless. They can only give you answers. -- Pablo Picasso

If it is an offline CA, it is not supposed to be connected to the network ;-) But, yes , you could do that... I wouldn't. I would do a script that copies everything to a USB stick with the necessary scripts to publish to the web server, but run that script from, say the issuing CA, not from the root CA. Brian

I ran that command and it completed successfully, stopped/restarted the CA. I went again into the c:\windows\system32\certsrv\certenroll on the RootCA folder and I don't see a new CRL. It's still the old one that expired on 1/24. Is there a way to dump it to a specific location?

How often should I expect to have to do that or make sure the script is running? is there a setting that tells me how long? I think I remember something about 2 weeks.

If it is truly an offline root CA, you should be doing more like 6 months to a year You can run certutil -setreg ca\ValidityPeriod "Years" certutil -setreg ca\ValidityPeriodUnits 1 net stop certsrv && net start certsrv If you want to go with 6 months, change to "Months" and 6 Brian

can you display an output of the command: certutil -getreg ca\crlpublicationurlsMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki