I'm not sure how this happened, but Certificate Services won't start. Win2k3, Standard. Single Root authority CA (small office).Cert Services isn't running. If I try and start it, I get Event 58, Source CertSvc followed by 100, Certificate Services did not start: Could not load or verify the current CA certificate. MyCorp, Inc A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).A certificate in the chain for CA certificate 2 for MyCorp, Inc has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495). If I run CertUtil -verify I get these errors:dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)HCCE_LOCAL_MACHINECERT_CHAIN_POLICY_BASE-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)...A certificate chain processed, but terminated in a root certificate which is nottrusted by the trust provider. 0x800b0109 (-2146762487)------------------------------------Verifies against UNTRUSTED rootCert is a CA certificate ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)CertUtil: The revocation function was unable to check revocation because the revocation server was offline.I *think* it's technically correct about the date, but with an out of date CA cert, how do I get the services started?? Seems like a mess.I did a bunch of web searches but didn't get many hits that applied. I checked KB articles:825061 , 969302 but they didn't seem to apply.We've always had the same 'name' CA Root, although this is the 3rd server with the same physical name per the normal routine of replacing failed hardware for the CA Root. I don't follow the best practice of using a subordinate CA, mostly as we don't have that many servers (originally just 2), it seemed like overkill. So I don't think the 'revocation server is offline' issue applies (the KB articles). I mean, that's a chicken and the Egg thing, how could the CA Root check its own revocation if it won't start?Any ideas? Some of our web developers have expired certs now as well and can't renew, and I have a bad feeling this will start messing up a lot of stuff.== John == == John ==

Hi, According to the error message, it seems that the CA certificate has been expired. If so, please renew CA certificate and check the result. In addition, please make sure that the root CA certificate has been imported to the Trusted Root Certification Authorities.

Joson:That doesn't make any sense, If I can't start the CA how could I renew the cert!!!If Itry to renew the Cert, I get an error that no CA is online, which would be the expected result.Catch-22.The root CA cert was imported.== John ==== John ==

As per the Error Description it seems that the Root CA Certificate is not Trusted. have you made Sure that the Root CA Certificate is Placed in Trusted Root Certificate Authority of the Local Machines Certificate Store.

Yes, the Root CA Certificate is placed in the trust root certificate authority in the local machine cert store. (it's expired too).The CA service is autostart, not sure why it didn't autorenew. But in any event, I'm still in the same mess. I can't renew either unless the CA starts, and it won't start because the cert needs renewal. == John ==

Hi John, How do you renew CA certificate? Root CA certificate is a self-singed certificate, you should be able to renew it even though the CertSvc service cannot start. In fact, we need to stop the service to renew CA certificate. In this case, I suspect that it is a subordinate CA. Therefore, it need to contact the Root CA to renew CA certificate. To verify the CA type, please check the registry entry CAtype: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>\ CAType = 0 (This means it is installed as Enterprise Root CA) CAType = 1 (This means it is installed as Enterprise Subordinate CA) CAType = 3 (This means it is installed as Stand Alone CA) CAType = 4 (This means it is installed as Stand Alone Subordinate CA) If the registry entry indicates that this CA is a Root CA, please try to renew CA certificate again, capture the whole error message and paste it here for further research.

hi John,what do you mean by "If I can't start the CA how could I renew the cert!!! ",which means that service isn't getting started and Joson is correct we need to renew the root CA certificate.can you run the below command and check certutil setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINEand then try restarting the service.sainath windows driver development.

>>which means that service isn't getting started <<Correct, which is the VERY FIRST statement I made in this thread ... lolIf I use the flag you gave me, the CertService starts, but immediatly stops, with the same 2 errors as originally described.So the Cert Service won't start, so it's pretty difficult to renew anything if the service won't start.== John ==

Ok, so just to be clear:The problem is that the CA root certificate is expired.Cert Services won't start because of this, even with the flag CRLF_REVCHECK_IGNORE_OFFLINETo renew the Cert services, I have to be able to start the Service. There is only 1 Cert Server in the Domain.Any ideas? What if I set the server clock back by about 3 months, will that mess up anything else?How do I prevent that from happening in the future, the CA authority cert doesn't auto-renew? == John ==

Hi,Could you please confirm the value of the registry entry CAtypeon the CA server?

Sure, CAType is 0 (0x0).Thanks,== John ==

Hi,Thanks for your update. Now, please open Certification Authority console on the CA server, right-click CA Name, and then select Renew CA Certificateto renew the CA certificate (Note: you do not need to start the service).If you encounter any error, please capture the whole message and paste it here for further research.Thanks.

Ah ... I was trying to renew the CA cert from the certificates MMC. I didn't realize that menu option was there. That worked, thanks! I renewed it with the same key, and the service now starts.Now - how do we avoid this next time? Doesn't the CA cert auto-renew?== John ==== John ==

Hi, Thank you for your reply. I am afraid that you need to manually renew the CA certificate before it expires. For more information, you can refer to the following article: Renewing a certification authority http://technet.microsoft.com/en-us/library/cc740209.aspx

If this thead is still open, I need a little assistance as well. I've renewed the Enterprise Root CA But my subordinate CA server is unable to renew. I recieved the following message: Cannot Verify Certificate Chain. Do you wish to ignore the error and continue? A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495) Any ideas?