none
Active Directory Certificate Services did not start

    Question

  • Hi,

    i have a 3-tier PKI architecture , ROOTCA and INTERMEDIATE CA are part of workgroup and ISSUING CA is a part of our Doman (abc.com). it was working fine but recently the AD certificate  service on Intermediate and Issuing CA is stopped and unable to start the AD Certificate Service. when i check the event log found an error in log Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).. 

    then i ran pkiview.msc and found that crl has expired for Root and Intermediate CAs (CDP Location # 1 Expired), tried to renew/publish crl using GUI and Command line on issuing ca but it returns following error (i think its because of service is stopped):

    CertUtil: -CRL command FAILED: 0x800706ba (WIN32: 1722)
    CertUtil: The RPC server is unavailable.

    then i tried to renew crl on root ca but it also returned following error (that is because of cdp location expiry i think): 

    CertUtil: -CRL command FAILED: 0x8007003a (WIN32: 58)
    CertUtil: The specified server cannot perform the requested operation.

    on ROOT CA there is event 65 source certificationauthority (http://technet.microsoft.com/en-us/library/cc726371(WS.10).aspx)

    then i fetched the url and verify using certuril on Intermediate CAs which specified following error:

    Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55)

    Failed "AIA" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55)

    also URL status on Intermediate CA is Failed while using URL Retrieval Tool (certutil -url)

    above is the whole case and troubleshooting, please help me out

    Thanks,
    Saturday, March 6, 2010 8:58 PM

Answers

  • You need to start with the root CA.
    1) Create a new CRL
    2) Copy CRL to removable media
    3) Publish updated CRL to all locations defined on the Extensions tab of the root CA
    4) Add updated root CA CRL to the root store of the intermediate CA
    5) Start intermediate CA
    6) Create new CRL
    7) Publish updated CRL to all locations defined on the Extensions tab of the root CA
    8) Start Issuing CA

    BRian
    • Marked as answer by M Yasir Memon Monday, March 8, 2010 1:32 AM
    Sunday, March 7, 2010 4:45 AM
  • Dear, i have successfully resolved the issue by manually copying the CRL from Server to Server and Installing it, now i can issue certificates and all services are up now :)

    Thanks for your support and cooperation.

    Regards
    M.Yasir Memon
    • Marked as answer by M Yasir Memon Monday, March 8, 2010 1:33 AM
    Monday, March 8, 2010 1:33 AM

All replies

  • You need to start with the root CA.
    1) Create a new CRL
    2) Copy CRL to removable media
    3) Publish updated CRL to all locations defined on the Extensions tab of the root CA
    4) Add updated root CA CRL to the root store of the intermediate CA
    5) Start intermediate CA
    6) Create new CRL
    7) Publish updated CRL to all locations defined on the Extensions tab of the root CA
    8) Start Issuing CA

    BRian
    • Marked as answer by M Yasir Memon Monday, March 8, 2010 1:32 AM
    Sunday, March 7, 2010 4:45 AM
  • Hi Brian

    Thanks for your reply,

    i tried to create a new crl with certutil command but no luck, following is the result:

    C:\Users\Administrator>certutil -crl
    CertUtil: -CRL command FAILED: 0x8007003a (WIN32: 58)
    CertUtil: The specified server cannot perform the requested operation.

    then when i checked events, i found following event:

    Event ID: 65 and Event Source: CertificationAuthority

    Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: ldap:///CN= Corporate Root CA,CN=PR-SRV-ROOTCA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=root,DC=net.  The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58).

    Root CA is not part of internal domain, so i have added credentials of root.net domain admin using cmd key.

    as event is saying Base CRL Key 0 could not be published - which is already expired i think thats why it can not be published, kindly tell me if i am missing any thing. and also how can i check permissions on ldap location?

    waiting for your expert advice.
    Thanks
    Sunday, March 7, 2010 7:38 PM
  • You've got your root CA misconfigured. Since it isn't an Enterprise CA it shouldn't be trying to publish the CRL to Active Directory when you issue a new one. You need to fix the settings on the Extensions tab in the properties of your root CA. For standalone CAs, you should only be publishing to the file system.

    You need to fix these errors, then issue a new CRL, take the CRL to a domain joined computer and then publish them to AD.


    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, March 8, 2010 1:16 AM
  • Dear, i have successfully resolved the issue by manually copying the CRL from Server to Server and Installing it, now i can issue certificates and all services are up now :)

    Thanks for your support and cooperation.

    Regards
    M.Yasir Memon
    • Marked as answer by M Yasir Memon Monday, March 8, 2010 1:33 AM
    Monday, March 8, 2010 1:33 AM
  • Dear Paul, Thanks for your advice :)

    Actually this PKI Infrastructure was already in-place, but your point is well noted and will be implemented soon :) Thanks for your support.
    Monday, March 8, 2010 1:34 PM