Monday, May 5, 2014

revocation function was unable to check revocation because the revocation server was offline

q: Suddenly (12 magical months to the day after deploying the customer's CA structure on Windows Server 2008 R2) their issued certificates are not valid.  It started on the CRM and ADFS servers and we tracked it up to the Issuing CA Server with these messages:

An error occurred during an attempt to build the certificate chain for the relying party trust certificate '---' identified by thumbprint ‘---’. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust’s encryption certificate revocation settings or certificate is not within its validity period.

Revocation status for a certificate in the chain for CA certificate 0 for --- could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. --- The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

a: Once we found this very well written article it was all clear.

  1. Boot up the offline root ca
  2. open an elevated command prompt
  3. run: certutil -crl
  4. It will issue a new CRL file here: C:\Windows\System32\CertSvr\CertEnroll\
  5. Copy that file to 2 places
  6. \\%appserverhostingyourpkiwebsite%\CertEnroll
  7. \\%issuingCAServer%\c$\Windows\System32\certsrv\CertEnroll
Then we were able to start the 'Active Directory Certificate Services' service on the Issuing CA server and all the certificates issued by that CA were valid again.