The revocation function was unable to check revocation because the revocation server was offline 0x80092013

Hi,

I've got a problem akin to this one: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/348a9b8d-8583-488c-9a96-42b892c4ae77

unfortunately the solution provides there didn't solve my problem.

My scenrario is:

I used to have one 2k8R2 Ent. domain integrated Online CA. Then 3 Issuing CA got there in the hierarchy. To take the Root CA offline I migrated the CRL points to other servers (including the 3 Issuing CAs). The Root CA is still online.

The CRL Points of Root are:
LDAP, HTTP Issuing 1, HTTP Issuing 2, HTTP Issuing 3, HTTP Web Server 1, HTTP Webserver 2

While migrating the CDP I turned off the Delta CRL on Root CA.

After a few days when I restarted the Issuing CA Service I got the Message:"The revocation function was unable to check revocation because the revocation server was offline 0x80092013".

The old CDPs are still online and have valid CRLs, but they are not configured in the Root CA anymore.

Another side effect was, that I can't renew a CA Certificate with exiting Key Material. When I renew the certificate with new key material, the renewal is successful.

Again the hierarchy:

Root CA

Client CA / User CA / Server CA

I performed a certutil -verify -urlfetch "Server CA.crt":

C:\Windows\System32\certsrv\CertEnroll>certutil -verify -urlfetch "dkm-a0115.acme.com_ACMESSL Server CA.crt"
Issuer:
    CN=ACMESSL CA 2.0
    DC=ACME
    DC=com
Subject:
    CN=ACMESSL Server CA
    DC=ACME
    DC=com
Cert Serial Number: 165d5a290000000000e4

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 2 Days, 46 Minutes, 44 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 2 Days, 46 Minutes, 44 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ACMESSL CA 2.0, DC=ACME, DC=com
  NotBefore: 15.12.2011 10:55
  NotAfter: 13.12.2017 10:55
  Subject: CN=ACMESSL Server CA, DC=ACME, DC=com
  Serial: 165d5a290000000000e4
  Template: ACME SubCA
  de 97 b5 b9 a2 ee 7e 6c 77 d3 fa 0e 64 ba 35 e3 3d 26 c2 f4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] ldap:///CN=ACMESSL%20CA%202.0,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ACME,DC=comcACertificate?base?objectClass=certifi
cationAuthority

  Verified "Certificate (0)" Time: 4
    [1.0] http://dkm-a0018.ACME.com/CertEnroll/dkm-a0018.ACME.com_ACMESSL%20CA%202.0.crt

  Verified "Certificate (0)" Time: 4
    [2.0] http://usd2s0018.ACME.com/CACERTS/dkm-a0018.ACME.com_ACMESSL%20CA%202.0.crt

  Failed "AIA" Time: 0
    Error retrieving URL: The operation timed out 0x80072ee2 (WIN32: 12002)
    http://dkm-a0014.ACME.dmz/ACMEcrl/dkm-a0018.ACME.com_ACMESSL%20CA%202.0.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (02ee)" Time: 0
    [0.0] ldap:///CN=ACMESSL%20CA%202.0,CN=dkm-a0018,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ACME,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Base CRL (02ee)" Time: 4
    [1.0] http://dkm-a0018.ACME.com/CertEnroll/ACMESSL%20CA%202.0.crl

  Verified "Base CRL (02ee)" Time: 4
    [2.0] http://usd2s0018.ACME.com/CACERTS/ACMESSL%20CA%202.0.crl

  Failed "CDP" Time: 0
    Error retrieving URL: The operation timed out 0x80072ee2 (WIN32: 12002)
    http://dkm-a0014.ACME.dmz/ACMEcrl/ACMESSL%20CA%202.0.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 02e9:
    Issuer: CN=ACMESSL CA 2.0, DC=ACME, DC=com
    29 ff 23 76 58 9b a8 13 1d 43 94 be 86 c9 ec 1f 2c 2e 2b 53

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ACMESSL CA 2.0, DC=ACME, DC=com
  NotBefore: 11.11.2010 10:14
  NotAfter: 11.11.2020 10:24
  Subject: CN=ACMESSL CA 2.0, DC=ACME, DC=com
  Serial: 3eed5ca7928310be47eb942a21497a9d
  Template: CA
  37 8a a3 e5 e1 a7 4f a3 18 7d 1c b1 38 94 e6 d9 16 ac f7 08
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  07 2f 25 3f d7 fb 6c e2 57 e7 c9 3c 68 d2 3c 6a 77 eb 94 1d
Full chain:
  5b 37 0f 39 7e 48 b3 69 29 42 40 fb 92 5a 3c 2e ed e1 05 91
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

"

  Failed "CDP" Time: 0
    Error retrieving URL: The operation timed out 0x80072ee2 (WIN32: 12002)
    http://dkm-a0014.ACME.dmz/ACMEcrl/ACMESSL%20CA%202.0.crl

"

This Server is currently down.

Hope you guys can help me.

Best Regrads,

Michael