ncomper
asked on
Issuing CA not issuing Certs, Event ID 100 (failure) and event ID's 48 and 53 (warnings logged
Hi
We have an issuing CA (Windows 2003 R2, SP2), last week it stopped issuing certificates for a brief period but then resolved itself.
It has happened again today, we restarted the service on the Issuing CA but it faield with error below, we restarted the service on our ROOT CA and then tried starting the service on the issuing CA again and it started.
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 100
Date: 22/04/2010
Time: 13:47:44
User: N/A
Computer: SVRAPP21
Description:
Certificate Services did not start: Could not load or verify the current CA certificate. CASUB The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I also noticed in the even log on the issuing CA the 2 event ID's below
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 48
Date: 22/04/2010
Time: 13:47:44
User: N/A
Computer: SVRAPP21
Description:
Revocation status for a certificate in the chain for CA certificate 0 for CASUB could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: 22/04/2010
Time: 11:17:53
User: N/A
Computer: SVRAPP21
Description:
Certificate Services denied request 201 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=4320030eacd09c6e, C=IL. Additional information: Error Constructing or Publishing Certificate The certificate validity period will be shorter than the CMCUser Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Can anyone tell me what i need to look at as im lost here.
Thanks
We have an issuing CA (Windows 2003 R2, SP2), last week it stopped issuing certificates for a brief period but then resolved itself.
It has happened again today, we restarted the service on the Issuing CA but it faield with error below, we restarted the service on our ROOT CA and then tried starting the service on the issuing CA again and it started.
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 100
Date: 22/04/2010
Time: 13:47:44
User: N/A
Computer: SVRAPP21
Description:
Certificate Services did not start: Could not load or verify the current CA certificate. CASUB The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I also noticed in the even log on the issuing CA the 2 event ID's below
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 48
Date: 22/04/2010
Time: 13:47:44
User: N/A
Computer: SVRAPP21
Description:
Revocation status for a certificate in the chain for CA certificate 0 for CASUB could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: 22/04/2010
Time: 11:17:53
User: N/A
Computer: SVRAPP21
Description:
Certificate Services denied request 201 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=4320030eacd09c6e, C=IL. Additional information: Error Constructing or Publishing Certificate The certificate validity period will be shorter than the CMCUser Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Can anyone tell me what i need to look at as im lost here.
Thanks
ASKER
Hi
Thanks for the reply. Yes we have a root and a Sub CA that issues the certificates
Do you have any links to articles on how to do it, ive have kind of inherited this and know nothing about running your own CA's.
Thanks
Thanks for the reply. Yes we have a root and a Sub CA that issues the certificates
Do you have any links to articles on how to do it, ive have kind of inherited this and know nothing about running your own CA's.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
cant sort it
To avoid this, as well as to give yourself time in case of issues, it is advisable to publish new CRLs early - two common methods are 1) 1/2 of the CRL validity time (e.g. every week for a 2 week CRL), and 2) a certain period of time before expiration (e.g. every 2 months for a 3 month CRL).
If the root is offline, set up a calendar reminder. For online servers you can create a scheduled task to run a .bat file for 'certutil -crl' and if you need to copy it to other locations just add an xcopy to the script to copy it to the CRL Distribution Point (CDP) locations.