Dears, 

I need your support in this issue, its happens in Subordinate CA Server after installing the Certificate, the Certificate is issued from Root CA Server. the installation is done correctly without any error, but After that I have to start the service in Subordinate Server, when I click on " start service" the message appear " the revocation function was unable to check revocation because the revocation server was offline. 0x80092013 ( -2146885613 ) " and the service doesn't start.

Note: I am sure that the root server is online and the  ping command is successful between the servers . 

• Edited by Saleh Al-Salamah Saturday, November 02, 2013 4:13 PM

Hi,

by default the Windows CA is checking its own revocation status during the start of Certificates Services. 

So first check that the CDP information in the subordinate CA certificate are valid and accessible, e.g. if it is an HTTP URL copy the URL to the web browser and see if you get a valid CRL back. you can also run pkiview.msc what should show you some PKI health status information as well.

you can also set the CA for not checking its own revocation status:

certutil.exe setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

But to be clear: that is more a workaround, get your CDP information correct and CRL published and you will not need that CRLF_REVCHECK_IGNORE_OFFLINE workaround.

Here an article about CDP design and CRL publishing - http://blogs.technet.com/b/xdot509/archive/2012/11/26/pki-design-considerations-certificate-revocation-and-crl-publishing-strategies.aspx 

Hope that helps,

Lutz