Hi, I created a certification hierarchy with an offline root certification authority in a lab environment. I followed the instructions in a TechNet article,
http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx. I'm running into an issue when I start the Certificate Services on my enterprise subordinate CA. I receive the following the message,
"The revocation function was unable to check revocation because the revocation server was offline, 0x80092013 (-2146885613)."
Looks like I didn't modify the URL of the certificate revocation list (CRL) and the authority information access (AIA) distribution points correctly. Here's what I did, I added a new CDP location, file://\\FQDN\sharename\<C
AName><CRL
NameSuffix
>.crl, and selected the Include in the CDP extension of issued certificates checkbox. Then I added a new location AIA location, file://\\FQDN\sharename\<S
erverDNSNa
me>_<CaNam
e><Certifi
cateName>.
crt, and selected the Include in the AIA extension of issued certificates checkbox.
After changing the CDP and AIA distribution points, I published a new CRL. When I open the Properties of Revoked Certificates to view the CRL, it shows the ldap location on the root CA and not the new location.
Am I not allowed to use a UNC path as a new CDP and AIA distribution point? If yes, what would be the proper format of a ldap entry to point them to a new location? Would I just copy the existing URL and change the distinguished name?
Whilst I know you can set this in the UI, the formatting is somewhat cumbersome, and is actully a mare to get your head around, it is typically done in a script. Have a peek at this http://technet.microsoft.com/es-es/library/cc779083(WS.10).aspx