Wednesday, May 02, 2012 6:45 AM
In my organization I have an off line root CA and a sub-CA (both Server 2008 R2).
The certificate issued by the root CA to the Sub-CA was almost to expire and before that happened I renewed the certificate and I installed it. The sub CA is unable to issue certs (Error verifying request Signature or Signing Certificate - The revocation function was unable to check revocation because the revocation server was offline 0x80092013 (-2146885613). Furthermore when I try to publish the CRL I have a problems. The Sub-CA is configured to publish the CRL to both a web address and AD (LDAP). Using pkiview.msc I can see that publishing to the web address is working fine, but the LDAP query fails. In the event log for the AD Certificate Services I see an error "Event ID 74" and the text "Directory object not found". Lastly if I look at the Properties for 'Revoked Certificates" in certsrv.msc then on the "View CRLs" tab there are two lines: one for "key Index" 0 (with Publish Status = OK) the other for 1 (with Publish Status = Failed). When I installed the new Sub-CA cert I didn't remove the expired cert so on the Properties for the server in certsrv.msc on the General tab I can see the two certificates #0 and #1 (#0 is listed as expired). Checking in the ADSS under Services\Public Key Services\mysubordinateCA i just see the old CRL as mysubordinateCA while the CRL wants to be published with attribute mysubordinatecrl(1) and this object is missing..
Thanks in advance for your support
Wednesday, May 02, 2012 8:46 PM
The expired CA certificate is never removed, the ADCS will keep it in its config. This is an expected behavior!
Regarding the error when publishing the CRL, please check the suggested troubleshooting steps in the following TechNet article http://technet.microsoft.com/en-us/library/cc726336(v=ws.10).aspx
Wednesday, May 02, 2012 9:25 PM
thank you very much for your support.
The problem I discovered is that in my LDAP i have a CRL Distribution point in CDP > MysubCA > <TruncatedNameofMysubCA> while the PKI is trying to publish my CRL to CDP > MysubCA > <TruncatedNameofMysubCA>(1) that is missing and... I don't know how it is created ...
I attach the configuration of my Sub CA Extensions.
As you can clearly understand I'm not a PKI expert but everything was working fine till the moment i issued and installed the new sub CA certificate.
Thursday, May 03, 2012 5:47 AM
You need to add the renewal extension variable for the CRL <CRLNameSuffix> or %8 to your URLs, below is a sample URL for publishing to LDAP including CRL version suffix:
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
- Marked As Answer by Elytis ChengModerator Tuesday, May 15, 2012 9:23 AM