none
Problem enrolling User Certificate with Key Archival enabled

    Question

  • Hi all

    I have successfully implemented an offline root CA with an online CA which will issue certificates to users.
    The normal "User" template works ok. Also all Domain Controller are receiving certificates and I have implemented Key Archival as per: https://technet.microsoft.com/en-us/library/cc753011(v=ws.11).aspx

    When I now duplicate the "User" template and enable "Archive subjects encryption private key" the enrollment on the client fails with:


    An error occurred while enrolling for a certificate. A certificate request could not be created.
    URL: onlineca.fqdn\OnlineCertname
    Error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOKATION_OFFLINE)


    I am not sure why this is just happening for the duplicated template and not for the original one? Online CA is up and running and the Revokation list of both (online and offline) is published.

    Thanks,
    Michael


    Friday, January 13, 2017 2:12 PM

All replies

  • Hi,

    1.After generating a new CRL from the root CA and copying it to the subordinate CA (%systemroot%\system32\certsrv\certenroll)

    2. You need to publish new CRL to Active Directory,use this command:

     certutil -v -f -dsPublish “FileName.crl”


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 16, 2017 7:16 AM
    Moderator
  • As Cartman wrote in his post the CRL was expired. It appears that the default value of the offline CRL is a bit short (per default 1 week). I have increased it now and everything seems to be ok now. Still a bit confused about the error message and why the online CA could issue certificates for the normal "User" template but not the duplicated one.
    Monday, January 16, 2017 2:37 PM
  • Hi,

    》》Still a bit confused about the error message and why the online CA could issue certificates for the normal "User" template but not the duplicated one.

    You could check this link for your reference:

    Resolving Issues Starting a CA due to an Offline CRL

    http://stealthpuppy.com/resolving-issues-starting-ca-offline-crl/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 20, 2017 3:17 AM
    Moderator
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 25, 2017 3:01 AM
    Moderator