Quantcast
Channel: Security forum
Viewing all articles
Browse latest Browse all 12072

Certsvc won't start, event ID 100, shows CRL as unavailable

$
0
0

Environment:

  • 1standalone root CA (not joined to the domain)
  • 1 subordinate CA that issues certificates (joined to the domain). It’s worked fine for months.

Both running windows 2008 R2 Enterprise with SP1.

When I restarted the subordinate CA and logged back onto it, the CertSvc would not start up. In the Windows Events logs it listed an Event ID of 100:

Log Name:     Application

Source:       Microsoft-Windows-CertificationAuthority

Event ID:     100

Task Category: None

Level:        Error

Keywords:     Classic

User:         SYSTEM

Computer:     myca.mydomain.local

Description:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. myCA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

   <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />

   <EventID Qualifiers="49754">100</EventID>

   <Version>0</Version>

   <Level>2</Level>

   <Task>0</Task>

   <Opcode>0</Opcode>

   <Keywords>0x80000000000000</Keywords>

   <TimeCreated SystemTime="2014-10-11T08:23:46.000000000Z" />

   <EventRecordID>4927</EventRecordID>

   <Correlation />

   <Execution ProcessID="0" ThreadID="0" />

   <Channel>Application</Channel>

   <Computer>ca-mydomain.local</Computer>

   <Security UserID="S-1-5-18" />

  </System>

  <EventData Name="MSG_E_CA_CERT_INVALID">

   <Data Name="CACommonName">MyCAServer</Data>

   <Data Name="ErrorCode">The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)</Data>

  </EventData>

</Event>

Error when trying to start the service is “The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 -2146885613”

I went  into the Root CA toforce it to publish (create) a new .crl file and then to publish the .crl file to Active Directory using certutil from the command line (certutil -f  -dspublish myca.crl rootca)  This did not fix the problem (the CertSvc would still not start up on the subordinate CA).

Instead, I disabled the subordinate CA from checking for the certificate revocation list (certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE). After I did that the CertSvc on the subordinate ca started without any issues. It should be noted that I tried almost all of the above on the subordinate CA while the Root CA was in both an on and off state.

Please let me know how I can turn the CRL list checking back on.


Viewing all articles
Browse latest Browse all 12072

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>