Offline linux root, windows sub ca

Hi,

I inherited an environment with a RHEL offline root CA ("car" and a 2008 subordinate/issuing CA (wincai). I am trying to create a new Windows 2019 issuing CA (wincert-sub). I have gotten to the point that the new server can issue certificates, but enterprise PKI shows an error . I am not able to paste a picture, but the error is CA CERTIFICATE---REVOCATION STATUS UNKNOWN

Here is the fetch command that I have seen requested. I apologize if sanitation causes readability issues:

Issuer:
    CN=WINyyy-SUB-CA
    [0,0]: yyy_RDN_PRINTABLE_STRING, Length = 14 (14/64 Characters)
        2.5.4.3 Common Name (CN)="WINyyy-SUB-CA"

        57 49 4e 43 45 52 54 2d 53 55 42 2d 43 41         WINyyy-SUB-CA

        57 00 49 00 4e 00 43 00 45 00 52 00 54 00 2d 00   W.I.N.C.E.R.T.-.
        53 00 55 00 42 00 2d 00 43 00 41 00               S.U.B.-.C.A.

Name Hash(sha1): 72fc7b99d0f4cd1d5a291d800cad01981308f239
Name Hash(md5): f6db2cdffa3783361cf4e7cf467675a3
Subject:
    CN=winyyy.ad.xxx.yyy.org
    [0,0]: yyy_RDN_PRINTABLE_STRING, Length = 23 (23/64 Characters)
        2.5.4.3 Common Name (CN)="winyyy.ad.xxx.yyy.org"

        77 69 6e 63 65 72 74 2e 61 64 2e 64 74 65 2e 63   winyyy.ad.xxx.c
        65 72 74 2e 6f 72 67                               ert.org

        77 00 69 00 6e 00 63 00 65 00 72 00 74 00 2e 00   w.i.n.c.e.r.t...
        61 00 64 00 2e 00 64 00 74 00 65 00 2e 00 63 00   a.d...
        65 00 72 00 74 00 2e 00 6f 00 72 00 67 00      .

Name Hash(sha1): a13614146e7d707a9f7343b7845c77642ead7acf
Name Hash(md5): 220a0f0d68dde7acfd64d9df76c85ab3
yyy Serial Number: 430000000aed04c2dd5ad3003500010000000a
    0000 0a 00 00 00 01 00 35 00 d3 5a dd c2 04 ed 0a 00
    0010 00 00 43

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = yyy_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
yyy_CHAIN_POLICY_BASE
-------- yyy_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = yyy_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwRevocationFreshnessTime: 3 Hours, 55 Minutes, 42 Seconds

SimpleChain.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = yyy_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwRevocationFreshnessTime: 3 Hours, 55 Minutes, 42 Seconds

yyyContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=WINyyy-SUB-CA
NotBefore: 6/4/2019 10:19 AM
NotAfter: 6/3/2020 10:19 AM
Subject: CN=winyyy.ad.xxx.yyy.org
Serial: 430000000aed04c2dd5ad3003500010000000a
SubjectAltName: DNS Name=winyyy.ad.xxx.yyy.org
Template: Machine
yyy: 27caa43c8c97589d9f0e6417ace22695372b273d
Element.dwInfoStatus = yyy_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- yyyificate AIA ----------------
Wrong Issuer "yyyificate (0)" Time: 0 4a234112bb74ef8c3971ee05ae4afd2c746001ae
    [0.0] ldap:///CN=WINyyy-SUB-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?cAyyyificate?base?objectClass=yyyificationAuthority

No CRL "yyyificate (1)" Time: 0 aa81a87b96cc04cf15a674287a3287f90a000daa
    [0.1] ldap:///CN=WINyyy-SUB-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?cAyyyificate?base?objectClass=yyyificationAuthority

No CRL "yyyificate (1)" Time: 0 aa81a87b96cc04cf15a674287a3287f90a000daa
    [1.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/winyyy.ad.xxx.yyy.org_WINyyy-SUB-CA(1).crt

---------------- yyyificate CDP ----------------
Verified "Base CRL (07)" Time: 0 265eb862c6e7862d525d9a27c288e77cbd044a70
    [0.0] ldap:///CN=WINyyy-SUB-CA(1),CN=winyyy,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?yyyificateRevocationList?base?objectClass=cRLDistributionPoint

Verified "Delta CRL (07)" Time: 0 74aceb86be890bb8da90b36813157c12fdbdd481
    [0.0.0] ldap:///CN=WINyyy-SUB-CA(1),CN=winyyy,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint

Verified "Delta CRL (07)" Time: 0 f8adf9553ac558875f035b6478fece9fe8c9ea82
    [0.0.1] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1)+.crl

Verified "Base CRL (08)" Time: 0 c61b9d711b7c00d5fb0c1c10b355afd96aa07475
    [1.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1).crl

Verified "Delta CRL (08)" Time: 0 f8adf9553ac558875f035b6478fece9fe8c9ea82
    [1.0.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1)+.crl

---------------- Base CRL CDP ----------------
OK "Delta CRL (07)" Time: 0 74aceb86be890bb8da90b36813157c12fdbdd481
    [0.0] ldap:///CN=WINyyy-SUB-CA(1),CN=winyyy,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint

OK "Delta CRL (08)" Time: 0 f8adf9553ac558875f035b6478fece9fe8c9ea82
    [1.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1)+.crl

---------------- yyyificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
    CRL 07:
    Issuer: CN=WINyyy-SUB-CA
    ThisUpdate: 6/4/2019 9:33 AM
    NextUpdate: 6/11/2019 9:53 PM
    CRL: 265eb862c6e7862d525d9a27c288e77cbd044a70
    Delta CRL 07:
    Issuer: CN=WINyyy-SUB-CA
    ThisUpdate: 6/4/2019 9:33 AM
    NextUpdate: 6/5/2019 9:53 PM
    CRL: 74aceb86be890bb8da90b36813157c12fdbdd481
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

yyyContext[0][1]: dwInfoStatus=101 dwErrorStatus=40
Issuer: E=xxx-operations@yyy.org, CN=car.core.xxx.yyy.org, OU=Development and Test Environment, O=Software Engineering Institute, L=Arlington, S=Virginia, C=US
NotBefore: 5/30/2019 3:10 PM
NotAfter: 5/27/2029 3:10 PM
Subject: CN=WINyyy-SUB-CA
Serial: 1009
yyy: aa81a87b96cc04cf15a674287a3287f90a000daa
Element.dwInfoStatus = yyy_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = yyy_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- yyyificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- yyyificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- yyyificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------

yyyContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
Issuer: E=xxx-operations@yyy.org, CN=car.core.xxx.yyy.org, OU=Development and Test Environment, O=Software Engineering Institute, L=Arlington, S=Virginia, C=US
NotBefore: 10/13/2016 10:06 AM
NotAfter: 10/8/2036 10:06 AM
Subject: E=xxx-operations@yyy.org, CN=car.core.xxx.yyy.org, OU=Development and Test Environment, O=Software Engineering Institute, L=Arlington, S=Virginia, C=US
Serial: f74b2c5430ccc7e0
yyy: 8e76b8f351d2f092a5e201ea6f05e2538864ce30
Element.dwInfoStatus = yyy_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = yyy_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- yyyificate AIA ----------------
Expired "yyyificate (0)" Time: 0 50172205dc0a29ba737467ae5f68ee392a7ce59a
    [0.0] http://winpki.core.xxx.yyy.org/yyyEnroll/xxx-rootca.pem

---------------- yyyificate CDP ----------------
Verified "Base CRL (02)" Time: 0 e4446a95198cbe0cf9bbb36573cd4d15fea41a6a
    [0.0] http://winpki.core.xxx.yyy.org/yyyEnroll/xxx-rootcrl.crl

---------------- yyyificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------

Exclude leaf yyy:
Chain: 057d89682dca5efb958ba4343777c389ca88c919
Full chain:
Chain: a259b8bf0eee4aef9853813fd70b7052ee3dce60
Issuer: CN=WINyyy-SUB-CA
NotBefore: 6/4/2019 10:19 AM
NotAfter: 6/3/2020 10:19 AM
Subject: CN=winyyy.ad.xxx.yyy.org
Serial: 430000000aed04c2dd5ad3003500010000000a
SubjectAltName: DNS Name=winyyy.ad.xxx.yyy.org
Template: Machine
yyy: 27caa43c8c97589d9f0e6417ace22695372b273d
The revocation function was unable to check revocation for the yyyificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Leaf yyyificate revocation check passed
yyyUtil: -verify command completed successfully.

I am able to get to the urls listed, but I can't figure out what I am missing so that the PKI utility comes up clean for WINCERT (my new CA). I am not as familiar with Linux offline roots as I am Windows, so maybe I missed something there? Any help would be appreciated.

Roger

Offline linux root, windows sub ca

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112