I installed Enterprise subordinate issuing CA with certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE so Issuing CA is able to start. I am publishing CRL in a website and able to access CRL from Internet explorer. I ran certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE so CRL checking is turned back on but CA is not starting. I am getting "revocation check error'. How can I start my CA with CRL checking turned on?

Hi, After running the "certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE" command, please run the following command: net stop certsvc && net start certsvc If the problem continues, please let us know the exact error message you receive. Regards, Bruce

Thanks for your reply. After certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE, stopped certsvc. I tried to restart and getting ''The revocation fuction was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)".

This means that one or more of your CAs have incorrect URLs in either the AIA or CDP extension. If you can get the issuing CA started or access any certificate issued by the the issuing Ca (say call it leafcert.crt) then run certutil -verify -urlfetch leafcert.crt The output will show you which objects are unable to be retrieved and will guide you where to publish information This is a very typical error when either defaults were used or incorrect URLs were configured for AIA and CDP extensions Brian

I verified AIA and CDP extention on my Enterprise issuing CA and it looks good. I also verified my Offline Enterprise root CA, offline Enterprise Policy CA and issuing CA's .crl and .crt files at my common URL. I ran the certutil -verify -urlfetch and seeing revocation check error for my offline policy and offline root CA. Here is what I am doing to recreate the problem. I changed the HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\Servername\CRLFlags to Decimal value 2( It was 10 after running certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE). I stopped the CA and getting revocation error when I restart CA.