PKI Monitoring events


  • Hi Everyone,

    Recently I had faced issue, my PKI subordinate CA certificate service went in to stopped state.

    I started facing impact once after the CRL got expired. Below events also triggered.

    I want to recreate the issue to and want to get the below event again.

    Kindly advise what steps need to be taken.

    Also advice how to achieve the below

    I want to delete the Current CRL from HTTP and LDAP locations, clear the CRL cache. Want to reissue the CRL again (full and delta).

    Certificate services did not come up and also received below events

    Kindly advice what I can do 


    Event ID 22 — 

    Log Name: Application

    Source: Microsoft-Windows-CertificationAuthority

    Description:  Active directory services could not process request xxxxx due to an error: The revocation function was unable to check revocation because the revocation server was offline: 0X80092013 (-2146885613). The request was for

    Event ID 17 -  

    Log Name: Application

    Source: Micorsoft-Windows-Onlineresponder-RevocationProvider

    Description: for configuration issuingCA-OCSP(New) Online responder revocation either has no CRL confirmation or has stale information



    יום חמישי 12 יולי 2018 16:55

כל התגובות

  • Hi Afsar,

    There are some combinations that would provoke these two errors, but an easy one to reproduce them (in your test environment of course) is the following: Just make sure you do not update your Root CA CRL and wait for things to come.

    Once the Root CA CRL has expired, the Issuing CA will go into a stopped state and respond to any certificate requests (or attempts to restart the CA) with the Event ID 22.

    After a normally short while, the Issuing CA CRL (which can no longer be updated) will also expire. That is the moment where the OCSP server will start giving you the Event ID 17.

    Kind Regards,

    יום שישי 13 יולי 2018 06:57
  • Thanks for reply :)

    I will definitely try by waiting CRL to expire.

    However what if I try the below one, will it help me to reproduce the error?

    I want to delete the Current CRL from HTTP and LDAP locations, clear the CRL cache. Want to reissue the CRL again (full and delta).Also please let me know how to achieve the same, as i have some doubt. 

    The reason I am asking this because, I do not have much time to wait till CRL to expire.



    • נערך על-ידי Afsar Shariff יום שישי 13 יולי 2018 16:02
    יום שישי 13 יולי 2018 15:53
  • Hi Shariff,

    If you delete the CRL altogether, you will get the same error.

    Kind Regards,

    יום שישי 03 אוגוסט 2018 11:09