Windows 2008 R2 CA - "The Revocation function was unable to check revocation.....".

When user try to enroll for a certificate they get the message "The revocation function was unable to check recovation becuase the revocation server was offline...."

Are CRL is online and is hosted on the Sub-CA itself via a web site. I reissued the CRL from the SUB - CA copied it to the correct folder, restart CA services and got the same thing...
LVL 21
compdigit44Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
check the certificate crl location by this I mean actually examine the certificate in question
btanExec ConsultantCommented:
Supposedly CRL for one or more of the intermediate certification authority (CA) certificates was not be found esp when the root CA was offline. This issue may occur if the CRL is not available to the certificate server, or if the CRL has expired.

Some suggested issue was that it was unable to access the Delta CRL file through IIS 7. E.g due to '+' sign in the file name MYSERVER-CA+.crl. By default IIS 7 sets the property allowDoubleEscaping to False, and this must be enabled so that IIS can serve up this file.

So going into IIS7, the Default Website, and navigate into the CertEnroll virtual directory to enable the property to the configuration editor. Below is a link to set this through a command line:

http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx

May be a possibility though if you have no issue using browser to access the crl path via HTTP.
compdigit44Author Commented:
The strange part about this issue is that I can type the exact URL into my browser and download the CRL without issue. Also I made sure my CRL virtual directory allows double spacing escape..
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

compdigit44Author Commented:
when I check my CDP on my Sub-CA, I see both  LDAP and http locations... If http is not working then why isn't LDAP kicking in..

Anyway, on my sub-ca, I see the CDP as http://server.domain/folder/certenroll....

I setup a new site as to not touch the default web using the same structure wilth and without the certeroll sub-directory and it did not work. Yet I can type the location into the browser without issue.

The odd part it that when i look at previously issue certs the CRL path is listed minus the /certenroll at the end...

Any suggestion since I have a large network an new certs are not getting issue for user which is a proble,
btanExec ConsultantCommented:
For win2K8, the CRT/CRL file retrieval only LDAP and HTTP protocols are supported. I am suspecting the location of the CDP as I see the "folder" subfolder under the server path. Certutil can be used to change the location, see if you check out this post
Bear in mind that if you change these settings.. they won't apply to any certificates that have already been issued by that CA, particularly with respect to HTTP/LDAP URLs... for the %%windir%% settings this is purely for the local CA to publish the CRL/CRT files for the AIA/CDP..

...that's because the CA you've configured gets its AIA/CDP settings during the configuration of the CA (via the Certificate Services snapin) and this information is embedded in the issued certificate to the CA. You can set your AIA/CDP settings via the CAPOLICY.INF and copy this file to the \WINDOWS folder before configuration of Certificate Services on the subordinate.. this will ensure that the SubCA certificate that is issued has the correct AIA/CDP settings during the CA configuration. Your Root CA is now flagging an error because the AIA/CDP for the issued subordinate certificate are set to your "old" incorrect settings.

it can be a very confusing process. If you can I'd reinstall this CA (it sounds like you're not too far down the line in your configuration) and set the AIA/CDP correctly so they point to the correct distribution points during the subordinate setup.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/bdfdce41-b910-413d-aa6a-5e39a1d49823/how-to-change-aia-and-cdp-location-parametrs?forum=winserversecurity
btanExec ConsultantCommented:
Here is a post for the manual publishing of AIA/CDP
4. Issue the Sub CA a certificate from the Root CA server.

-Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
-Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
-From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID –> double click on the request –> Click the details TAB –> Copy to file –<subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
-As an option only, on the SubCA, run the command bellow from command line to avoid offline CRL errors: Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
-On the Sub CA, from command prompt, run – gpupdate/force
-Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
-Right click on the subordinate CA server name -> All Tasks -> Start Service.
https://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/
David Johnson, CD, MVPOwnerCommented:
just creating an IIS virtual folder won't cut it. you have to add that item from the Certificate Authority installation just the subpart.  A majority of SysAdmins do screw up a PKI (Certificate Authority).  It is not a next/next/next/ok process.
It requires pre-planning
Good video: How Not to Screw up Your PKI Deployment

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
I totally understand but this was working an a server as decommission that used to host the CRL and now we are try to reverse the process and recreated the old CRL path based on already issued Certs
compdigit44Author Commented:
I also used the certutil took with the URL CRL tool an my CDP check show a status of ok
compdigit44Author Commented:
I wanted to thank everyone for their help... I am happy to report with the help of the post links and other research I had a more current root CA CRL that was not on my sub-ca. Once copied to the server and published everything worked perfectly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.