Environment:
- 1standalone root CA (not joined to the domain)
- 1 subordinate CA that issues certificates (joined to the domain). It’s worked fine for months.
Both running windows 2008 R2 Enterprise with SP1.
When I restarted the subordinate CA and logged back onto it, the CertSvc would not start up. In the Windows Events logs it listed an Event ID of 100:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Event ID: 100
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: myca.mydomain.local
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. myCA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
<EventID Qualifiers="49754">100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-10-11T08:23:46.000000000Z" />
<EventRecordID>4927</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>ca-mydomain.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">MyCAServer</Data>
<Data Name="ErrorCode">The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)</Data>
</EventData>
</Event>
Error when trying to start the service is “The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 -2146885613”
I went into the Root CA toforce it to publish (create) a new .crl file and then to publish the .crl file to Active Directory using certutil from the command line (certutil -f -dspublish myca.crl rootca) This did not fix the problem (the CertSvc would still not start up on the subordinate CA).
Instead, I disabled the subordinate CA from checking for the certificate revocation list (certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE). After I did that the CertSvc on the subordinate ca started without any issues. It should be noted that I tried almost all of the above on the subordinate CA while the Root CA was in both an on and off state.
Please let me know how I can turn the CRL list checking back on.