Hi all, I've installed standalone root CA, then installed subordinate enterprice CA in AD domain. I send a submittion for certificate to root CA, then install certificate. Recieved message saying that root ca can't be trust? but ignore it. Now I can't start AD CS : "The revocation function was unable to check revocation because the revocation server was offline". How can I start AD CS?

You have to publish new CRL-list from the ROOT-CA so that the Sub-ca can verify the certificates.Publish them manually into the AD.Also verfiy the time on the CRL-Lists./Johan

I've added Root CA's ceertificates and CRL to local stote and AD. tried certutil -setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE didn't help. But it seems like this command should fix the problem

Also verfiy the time on the CRL-Lists. /Johan Could you please specify how can I do this?

Hi, You can check the CDP extension in the CA Properties of the root CA: 1. On the Root CA server, open Certificate Authority console. 2. In the console tree, right-click the name of the Root CA, select Properties. 3. Click the Extensions tab. Ensure that there is a LDAP CDP location, and the check box Publish CRLs to this location is selected. If so, manually publish CRLs: 1. Open Certificate Authority console. 2. In the console tree, right-click Revoked Certificates, select All Tasks, and then select Publish. After that, the Sub CA should be able to start. More Information: Example Scenario for Contoso http://technet.microsoft.com/en-us/library/cc779714(WS.10).aspx Configure CDP and AIA Extensions http://technet.microsoft.com/en-us/library/cc776904.aspx