Hi, I deployed an offline standalone root CA. Additionally I removed the CDP and AIA locations. then published the CRL. Copied all the certs from Root CA (C:\Windows\system32\certsrv\certenroll) to the new Sub, and published them using "certutil dspublish". I then installed an online Enterprise Subordinate CA successfully (saving the request to a file, and obtaining it from the root CA). The Sub CA started successfully, PKIView shows everything 100%. I then switched off the Root CA. PKIView worked fine. SubCA service restarts fine. However, when I try to obtain a certificate for a User, or Admin, etc - it complains about the inability to verify the revocation (The revocation function was unable to check revocation because the revocation server was offline). I open the MMC, add Cert snap-in and request a certificate. How come that is happening? The easy makeshift solution is to run this on the Sub CA: Certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE But is this the right way to handle this? I used the MS Press PKI book - Brian Komar - (from p.121 for a 2-tiered hierarchy) - did I miss a step? Thank you, SK

can you show us an output of the following command (from your root CA): certutil -getreg ca\CRLPublicationURLsMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

the result of that on the RootCA is: HKEY_Local_Machine\System\CurrentControlSet\Services\CertSvc\Configuration\RootCA\CRLPublicationURLS: CRLPublicationURLS REG_MULTI_SZ = Certutil: -getreg command completed successfully So it appears as empty on the Root. There are the usual entries when I execute this on the SubCA, would you like for me to list them all here? thanks

You incorrectly interpreted the requirement for empty CDP/AIA extensions for root CA certificate. Only root CA certificate should not have these extensions, but they are must be configured on root CA for issued certificates. Probably this article will be helpful for you: http://en-us.sysadmins.lv/Lists/Posts/ViewPost.aspx?ID=36 I can't tell you exact values, because they should be configured especially for your environment and root CA CRT/CRL distribution method (obviously offline CAs cannot automatically publish files on remote locations and serve revocation points). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

thanks, according to that article: "this configuration is necessary for CA servers based on Windows 2000 and Windows Server 2003. Windows Server 2008 and higher don't include these extensions in Root CA certificates by default" Since I am running Windows 2008 R2 - this should not be the case then. will keep investigating, thanks

Please read this: Once Root CA is installed you should perform AIA and CDP extension modification to fit your organization and/or network/AD topology requirements. URLs from these configurations will be included in all issued certificates and can be used by applications to built correct chains to this Root CA and perform revocation checking against certificates are issued by this CA. This means that it is normal when CA certificate (itself) don't contains CDP/AIA extensions. However it is still necessary to configure CDP/AIA extensions in the Extensions tab (in the CA properties) to provide revocation checking for issued certificates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

On Wed, 8 Jun 2011 09:53:09 +0000, S.Kwan wrote: "this configuration is necessary for CA servers based on Windows 2000 and Windows Server 2003. Windows Server 2008 and higher don't include these extensions in Root CA certificates by default" Since I am running Windows 2008 R2 - this should not be the case then. will keep investigating, thanks You're getting confused between the CDP/AIA locations that are extensions in the actual root CA certificate and the CDP/AIA locations that are in the registry on the root CA. The former should be empty as they direct a relying party to the CDP/AIA locations when verifying the root cert itself, which by definition can't really be revoked, and since it is the top of the trust chain no intermediate certs need to be retrieved. The latter is what gets put into the extensions of any certs issued by the root CA and those extensions do need to be populated. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca What this country needs is a good five-cent microcomputer.

Yes I must be getting them confused. So let me ask the question in another way: what do I need to do so that I do not receive this error message again: "The revocation function was unable to check revocation because the revocation server was offline" and PKIView shows everything as healthy thanks

You must ensure that all of the AIA and CDP (and OCSP) URLs are: - Correctly spelled - Available from all networks where clients must verify certificates - Up to date with the latest information For the clients: - Ensure that all proxy server information is configured - Ensure proxy is set for both machine and user. Machine is required if the machine must validate user certificates As a general rule (for OCSP especially) - Revoke the previously issued CA Exchange certificate - Generate a new one by running certutil -cainfo xchg Brian

OK, In addition to using "certutil -dspublish -f xxxxx RootCA" , I also just ran the "certutil -addstore -f Root xxxxx". Now when I install the SubCA cert on the Sub CA - I no longer get the error message. let me see what other funcitons/features work. thank you !

Yep, PKIView is happy. RootCA is Off. SubCA restarts without hassles. SubCA issues certificate based on published cert templates correctly. Thank you for your help !