Issuing CA's CRL checking not working
I installed Enterprise subordinate issuing CA with certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE so Issuing CA is able to start. I am publishing CRL in a website and able to access CRL from Internet explorer. I ran certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE so CRL checking is turned back on but CA is not starting. I am getting "revocation check error'. How can I start my CA with CRL checking turned on?
September 8th, 2011 11:18pm

Hi, After running the "certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE" command, please run the following command: net stop certsvc && net start certsvc If the problem continues, please let us know the exact error message you receive. Regards, Bruce
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2011 11:13am

Thanks for your reply. After certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE, stopped certsvc. I tried to restart and getting ''The revocation fuction was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)".
September 9th, 2011 9:28pm

This means that one or more of your CAs have incorrect URLs in either the AIA or CDP extension. If you can get the issuing CA started or access any certificate issued by the the issuing Ca (say call it leafcert.crt) then run certutil -verify -urlfetch leafcert.crt The output will show you which objects are unable to be retrieved and will guide you where to publish information This is a very typical error when either defaults were used or incorrect URLs were configured for AIA and CDP extensions Brian
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2011 5:07pm

I verified AIA and CDP extention on my Enterprise issuing CA and it looks good. I also verified my Offline Enterprise root CA, offline Enterprise Policy CA and issuing CA's .crl and .crt files at my common URL. I ran the certutil -verify -urlfetch and seeing revocation check error for my offline policy and offline root CA. Here is what I am doing to recreate the problem. I changed the HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\Servername\CRLFlags to Decimal value 2( It was 10 after running certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE). I stopped the CA and getting revocation error when I restart CA.
September 12th, 2011 7:05pm

The issue is that you did not use variables for your AIA and CDP paths. You ended the path with RootCA.crt and Root CA.crl not %1_%3%4.crt and %3%8%9.crl as recommended when following best practices. My guess is that the same issue exists at the policy and issuing CAs. Because you used a static name, then versioning is not supported. I do not carry my book with me every where that I travel so I have no clue what is in Table 6.2 Bottom line, if you do not use variables in your AIA and CDP paths, then when you renew a certificate with a new key pair everything wil break Very simple Brian
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 6:17am

Thanks Brain for your reply. 1) All root, policy and issuing CA .crl and .crt files are correct in CDP and AIA locations 2) I ran certutil -addstore root ourRootCRLfile.crl on Policy CA, started policy CA, created new policy crl and copied to CDP/AIA location. 3) I ran certutilsetreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE on issuing CA and still the same revocation error -The revocation function was unable to check revocation because the revocation............ What else do you want me to check/run?
February 11th, 2012 12:46pm

Can you run the following command against a certificate issued by your issuing CA (you can grab one maybe from your personal certificate store). Then run certutil -verify -urlfetch Certfile.cer and post the output. That will be the only way to figure out what is going on. Brian
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 1:54pm

I ran certutil -verify -urlfetch wks.cer and found some errors. CDP and AIA locations are having the newly copied root, policy and issuing CAs .crt and .crl files. ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://mycompanyCDP1.com/IssuingCA.crt Verified "Certificate (0)" Time: 0 [1.0] http://mycompanyCDP2.com/IssuingCA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (43)" Time: 0 [0.0] http://mycompanyCDP1.com/IssuingCA.crl Verified "Base CRL (43)" Time: 0 [1.0] http://mycompanyCDP2.com/IssuingCA.crl ---------------- Certificate AIA ---------------- Revocation Check Failed "Certificate (0)" Time: 0 [0.0] http://mycompanyCDP1.com/POLICYCA.crt Revocation Check Failed "Certificate (0)" Time: 0 [1.0] http://mycompanyCDP2.com/POLICYCA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (235)" Time: 0 [0.0] http://mycompanyCDP1.COM/POLICYCA.crl Verified "Base CRL (235)" Time: 0 [1.0] http://mycompanyCDP2.com/POLICYCA.crl Revocation Check Failed "Certificate (0)" Time: 0 [0.0] http://mycompanyCDP1.com/RootCA.crt Revocation Check Failed "Certificate (0)" Time: 0 [1.0] http://mycompanyCDP2.com/RootCA.crt ---------------- Certificate CDP ---------------- Wrong Issuer "Base CRL (6)" Time: 0 [0.0] http://mycompanyCDP1.COM/RootCA.crl Wrong Issuer "Base CRL (6)" Time: 0 [1.0] http://mycompanyCDP2.COM/RootCA.crl
February 11th, 2012 2:55pm

Your root CA is incorrectly configured. You have used static names on the root and policy CA and did not allow for versioning information. AIA URLs for HTTP should be using %1_%3%4.crt CDP URLs for HTTP should be using %3%8%9.crl You have not (hence the wrong issuer problem) Brian
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 3:52pm

If you can then please send me the exact easy steps to correct this problem.
February 11th, 2012 3:58pm

Sorry, you crossed the line to free consulting. You will have to work on the extensions tab of the root, policy, and issuing CAs. If you have my book, the installation chapter covers proper forms and certutil command lines to fix each line. Just google on this forum, as this is an often discussed topic Brian
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 4:33pm

I am sorry for taking your time but I am trying to understand the actual issue. I just have gone through your book and page 99 says the following information about AIA and CDP. I am coding actual url for CDP and AIA in root, policy and issuing CAs. So I can't use actual urls for CDP and AIA locations in root, policy and issuing CAs? If you decide to define AIA and CDP URLs for the root CA certificate, you can use predefined variables, rather than coding the actual URLs. Windows Server 2003provides the variables shown in Table 6-2 for defining AIA and CDP URL paths.
February 11th, 2012 4:43pm

Brian, I have 1 offline root CA, 1 offline Policy CA and 1 online Issuing CA. The CA is not starting after running "certutil setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE" and getting error " ''The revocation fuction was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)". I ran certutil -verify issuingCA.cer and seen some revocation check error for policy CA. What should I do to enable CRL checking and CA is started? Exclude leaf cert: b1 8c 2a 13 95 58 2b 9d 64 1d 44 9c 05 2f dd 7d 95 84 94 8d Issuer: CN=PolicyCA Subject: CN=IssuingCA, DC=xxx, DC=test Serial: 2a635d0c00000000002b Template: SubCA 1b 88 06 ce e3 ed be d1 99 68 fb 27 61 d0 2c bd 1f af b5 67 The revocation function was unable to check revocation because the revocation se rver was offline. 0x80092013 (-2146885613)------------------------------------ Revocation check skipped -- server offline Cert is a CA certificate Leaf certificate revocation check passed CertUtil: -verify command completed successfully.
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 5:09pm

You are correct Brian. I renewed an issuing CA certificate with a new key pair and copied new .crt/.crl files to CDP/AIA locations. Now I am seeing the errors for .crl. Let me find the CDP and AIA varaiable path syntax and re-install my issuing CA. I will get back to you. The problem is already we are using our production root CA, production Policy CA and Issuing CA so it will affect the users if I remove the static path with new variables. ---------------Certificate CDP---------- Wrong Issuer "Base CRL" [http://CDPlocation1.com/issuingCA.crl Wrong Issuer "base CRL" [http://CDPlocation2.com/issuingCA.crl Table 6-2 AIA and CDP Variable Definitions Variable Name Description %1 ServerDNSName The CA computers DNS name %2 ServerShortName The CA computers NetBIOS name %3 CAName The CAs logical name %4 CertificateName The name of the CAs certificate file %5 DomainDN Not used in the Windows Server 2003 PKI %6 ConfigDN The Lightweight Directory Access Protocol (LDAP) path of the forests configuration naming context for the forest %7 CATruncatedName The CAs sanitized name %8 CRLNameSuffix The CRLs renewal extension %9 DeltaCRLAllowed Indicates whether delta CRLs are supported by the CA %10 CDPObjectClass Indicates that the object is a CDP object in Microsoft Active Directory %11 CAObjectClass Indicates that the object
February 11th, 2012 5:37pm

Although Bruce gave a working answer, it is not the way I would go (sorry Bruce <G>) Based on what you have stated, either the root and policy CA are not configured correctly, or you have expired CRLs/CA certs at the AIA/CDP locations specified in the certificates issued by the root and policy CA. You need to start from the root CA, and publish an updated CRL. Then you must publish the updated CRL to the locations specified on the CDP extensions tab. This could involve runing certutil -dspublish or manually copying the updated CRL to the Web server you have designated Once you accomplish this, the polcy CA is next. If it is offline, you will have to run certutil -addstore root NewRootCRL.crl to load the new root CA CRL Then you must start the policy CA and publish a new CRL Like the root, you must publish the updated policy CA CRL Finally, run certutilsetreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE to enable CRL checking and you should be able to restart the issuing CA Brian
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 9:26pm

The issue is that you did not use variables for your AIA and CDP paths. You ended the path with RootCA.crt and Root CA.crl not %1_%3%4.crt and %3%8%9.crl as recommended when following best practices. My guess is that the same issue exists at the policy and issuing CAs. Because you used a static name, then versioning is not supported. I do not carry my book with me every where that I travel so I have no clue what is in Table 6.2 Bottom line, if you do not use variables in your AIA and CDP paths, then when you renew a certificate with a new key pair everything wil break Very simple Brian
February 11th, 2012 10:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics