Issuing CA not issuing Certs, Event ID 100 (failure) and event ID's 48 and 53 (warnings logged

Hi

We have an issuing CA (Windows 2003 R2, SP2), last week it stopped issuing certificates for a brief period but then resolved itself.

It has happened again today, we restarted the service on the Issuing CA but it faield with error below, we restarted the service on our ROOT CA and then tried starting the service on the issuing CA again and it started.

Event Type:      Error
Event Source:      CertSvc
Event Category:      None
Event ID:      100
Date:            22/04/2010
Time:            13:47:44
User:            N/A
Computer:      SVRAPP21
Description:
Certificate Services did not start: Could not load or verify the current CA certificate.  CASUB The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



I also noticed in the even log on the issuing CA the 2 event ID's below

Event Type:      Warning
Event Source:      CertSvc
Event Category:      None
Event ID:      48
Date:            22/04/2010
Time:            13:47:44
User:            N/A
Computer:      SVRAPP21
Description:
Revocation status for a certificate in the chain for CA certificate 0 for CASUB could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      CertSvc
Event Category:      None
Event ID:      53
Date:            22/04/2010
Time:            11:17:53
User:            N/A
Computer:      SVRAPP21
Description:
Certificate Services denied request 201 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=4320030eacd09c6e, C=IL.  Additional information: Error Constructing or Publishing Certificate  The certificate validity period will be shorter than the CMCUser Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Can anyone tell me what i need to look at as im lost here.

Thanks





LVL 5
ncomperAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
from cmd:
certutil -crl

then look in %systemroot%\system32\certsrv\certenroll directory for a .crl file.  There may be 2 of them, if one has something+.crl that is a delta CRL - you want the one without the +.  If there is only one .crl file that's fine, copy that one out.

From there open up the CRL properties and look for the "Freshest CRL" section and select that.  In the bottom part of the window it will give you the locations where the CRL needs to be copied to.  Hopefully you know how to trace back where a URL is pointing to on the real server.  If there is an LDAP location, then do "certutil -dspublish filename.crl root" for the root CA and 'certutil -dspublish filename.crl SubCA' for the subordinate CA - this will publish it to AD to the default LDAP location (not many people change the LDAP location from default).
0
 
ParanormasticCryptographic EngineerCommented:
Sounds like the CRL is not getting published properly.  Do you have mutliple CA servers?  Usually if this happens on a subordinate CA it means that the root CRL did not get published.

To avoid this, as well as to give yourself time in case of issues, it is advisable to publish new CRLs early - two common methods are 1) 1/2 of the CRL validity time (e.g. every week for a 2 week CRL), and 2) a certain period of time before expiration (e.g. every 2 months for a 3 month CRL).  

If the root is offline, set up a calendar reminder.  For online servers you can create a scheduled task to run a .bat file for 'certutil -crl' and if you need to copy it to other locations just add an xcopy to the script to copy it to the CRL Distribution Point (CDP) locations.
0
 
ncomperAuthor Commented:
Hi

Thanks for the reply. Yes we have a root and a Sub CA that issues the certificates

Do you have any links to articles on how to do it, ive have kind of inherited this and know nothing about running your own CA's.

Thanks

0
 
ncomperAuthor Commented:
cant sort it
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.