I followed this guide: https://www.vkernel.ro/blog/how-to-publish-the-crl-and-aia-on-a-separate-web-server to properly configure my CRL locations for IIS. Thank you guys :)
----------------
Like the title states, I have an offline, standalone Root CA Windows Server 2019 instance and I used it to issue a certificate for my subordinate CA. I have done the following:
- Microsoft: Configure an offline root certification authority to support certificate revocation with Active Directory.
- Published the Root CA's CRL to AD by certutil -f -dspublish <crl file location>.
- Even tried saving the Root CA's CRL in the Sub CA's CertEnroll folder.
Yet every time I try to start the Sub CA, it throws this error: "CRYPT_E_REVOCATION_OFFLINE"
I'm getting past this error for now by setting the registry to ignore that error:
certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
..but ideally I want my clients to check the Root CA's CRL to ensure the Sub CA is valid.
What else can I do here?