Can't start AD Certification services - revocation server's offline
Hi all, I've installed standalone root CA, then installed subordinate enterprice CA in AD domain. I send a submittion for certificate to root CA, then install certificate. Recieved message saying that root ca can't be trust? but ignore it. Now I can't start AD CS : "The revocation function was unable to check revocation because the revocation server was offline". How can I start AD CS?
May 14th, 2009 10:12pm
You have to publish new CRL-list from the ROOT-CA so that the Sub-ca can verify the certificates.Publish them manually into the AD.Also verfiy the time on the CRL-Lists./Johan
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2009 2:24pm
I've added Root CA's ceertificates and CRL to local stote and AD. tried certutil -setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE didn't help. But it seems like this command should fix the problem
May 15th, 2009 2:40pm
Also verfiy the time on the CRL-Lists. /Johan
Could you please specify how can I do this?
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2009 3:08pm
Hi,
You can check the CDP extension in the CA Properties of the root CA:
1. On the Root CA server, open Certificate Authority console.
2. In the console tree, right-click the name of the Root CA, select Properties.
3. Click the Extensions tab.
Ensure that there is a LDAP CDP location, and the check box Publish CRLs to this location is selected. If so, manually publish CRLs:
1. Open Certificate Authority console.
2. In the console tree, right-click Revoked Certificates, select All Tasks, and then select Publish.
After that, the Sub CA should be able to start.
More Information:
Example Scenario for Contoso
http://technet.microsoft.com/en-us/library/cc779714(WS.10).aspx
Configure CDP and AIA Extensions
http://technet.microsoft.com/en-us/library/cc776904.aspx
May 19th, 2009 7:07am