Sign in

Microsoft.com

United States (English)

Brasil (Português)Česká republika (Čeština)Deutschland (Deutsch)España (Español)France (Français)Italia (Italiano)Россия (Русский)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語)香港特别行政區 (中文)

Windows Server TechCenter

Windows Server TechCenter > Windows Server Forums > Security > Can I undo the change that allowed me to Ignore Offline CRL Errors on our CA?

Can I undo the change that allowed me to Ignore Offline CRL Errors on our CA?

Thursday, November 05, 2009 10:37 PMBrad Hearn

0
Sign In to Vote
We recently had an issuing CA that did not have it's CRL renewed from the offline Root CA. So of course the CA services could not be started.

I disabled the offline CRL check using the following command "certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE"

So now that we have learned our lesson and are makking sure that we have a proper maintenace plan in place. One of my questions is if it is ok to leave this setting as is. And if not, how do I reverse the change?

Brad
- Reply
- Quote

Answers

Thursday, November 05, 2009 11:04 PMBrian Komar [MVP]MVP

0
Sign In to Vote
You're going to kick yourself <G>
certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
net stop certsvc && net start certsvc

and then, throw away all knowledge of this "poor PKI person" command <G>
Brian
- Marked As Answer byBrad Hearn Friday, November 06, 2009 2:22 PM
- Reply
- Quote

All Replies

Thursday, November 05, 2009 11:04 PMBrian Komar [MVP]MVP

0
Sign In to Vote
You're going to kick yourself <G>
certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
net stop certsvc && net start certsvc

and then, throw away all knowledge of this "poor PKI person" command <G>
Brian
- Marked As Answer byBrad Hearn Friday, November 06, 2009 2:22 PM
- Reply
- Quote
Friday, November 06, 2009 2:23 PMBrad Hearn

0
Sign In to Vote
Consider me kicked :) Thanks Brian.
- Reply
- Quote

Need Help with Forums? (FAQ)