CaussyR
asked on
PKI Error Message
I have created a Root CA and a subordinate. When I import the certificate from root CA to the subordinate I get the followin
error message :
Cannot verify certificate chain. Do you wish to ignore the error and continue ? The revocation function was unable to check revocation because revocation server was offline.
After click on OK and try to start the CA service the following error appear :
The revocation function was unable to check revocation because the revocation server was offlilne.
Has anyone a resolution for the issue ?
error message :
Cannot verify certificate chain. Do you wish to ignore the error and continue ? The revocation function was unable to check revocation because revocation server was offline.
After click on OK and try to start the CA service the following error appear :
The revocation function was unable to check revocation because the revocation server was offlilne.
Has anyone a resolution for the issue ?
Tear down and rebuild time. When you setup the root CA you didn't specify the location that is available for the certificate revocation and probably the AIA records as well. You need to point these to a webserver that already exists on your network.
ASKER
Hi David, appreciate your help.
I do have the followingin the post script :
::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertS rv\CertEnr oll\%%1_%% 3%%4.crt\n 2:ldap:/// CN=%%7,CN= AIA,CN=Pub lic Key Services,CN=Services,%%6%% 11\n2:http://CertCentral.stbc3.jstest3.net/CertData/%%1_%%3%%4.crt"
Therefore, do I need this entry to be run ? Can I add the AIA extenstion later ? Also, does the URL http://CertCentral.stbc3.jstest3.net have to just be available in DNS or does the installation require access to an online site ? If the installation requires access to an online site, do I need to install the Web Authority option first ?
I do have the followingin the post script :
::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertS
Therefore, do I need this entry to be run ? Can I add the AIA extenstion later ? Also, does the URL http://CertCentral.stbc3.jstest3.net have to just be available in DNS or does the installation require access to an online site ? If the installation requires access to an online site, do I need to install the Web Authority option first ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks David for all your assistance and links.