This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 71%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
If this is not the correct place to post this, a link to the correct place would be much appreciated.
Setup: We have our own PKI infastructure with a stand-alone Server 2019 CA and a domain joined Server 2019 Sub-CA joined to the domain as a member server. It’s not a DC or BDC. The problem is with the Sub-CA.
History: A few months back we had to reload the DC from scratch. To prep for this, I did a backup of the Sub-CA per the guidance at https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server Then I uninstalled the CA services and disjoined this server 2019 computer from the domain.
After wiping and reloading the DC from scratch using the same domain name and all that stuff, I joined the Sub-CA server 2019 member server to the new domain, installed CA services and restored from the backup. All works fine as I’ve had no issues requesting and issuing certs. However, the end of last month the machine certificate for the Serve 2019 Sub-CA computer expired and did not auto-renew.
In my troubleshooting I’ve made forward progress in solving/fixing this. But now I’m at a point where I’m lost and don’t know where to go next. Here’s what I’m doing on the CA member server.
- Run certlm.msc
- Right-Click on Personal, select All Tasks – Request New Certificate. The Certificate Enrollment wizard opens.
- Click Next, and on the Select Certificate Enrollment Policy screen I’m presented with two options:
o Configured by your administrator
Active Directory Enrollment Policy
o Configured by You
<The CA computer name)
- I select Active Directory Enrollment Policy, then click Next.
- On the Request Certificates screen I’m presented 2 options
o OCSP response signing
o Computer
- Both certificates are expired. So I select the checkbox for both, then click the Enroll botton.
- At this point I get a messagebox popup that reads, “An error occurred while enrolling for a certificate. The certificate request could not be submitted to the certification authority. URL: <computername.domain>.local<friendlyname>
Error: The RPC Server is unavailable. 0x800706ba (WIN32: 1722 RCP_S_SERVER_UNAVAILABLE)
I don’t know where to go from here, and really could use some help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi Carl Burch
it seems a network issue. Check if the RPC ports required for certificate enrollment are already opened. ( TCP 135 and dynamic s)port
Certificate Services (Port Requirements)
Please don't forget to mark helpful answer as accepted
Well, it figures. Been working on this particular issue all day. Then, 10 minutes after reading your response, I fix it. Seems the root problem for this specific issue was an inability to contact the revocation server, as I learned the "revocation server is not running". Probable would have never found that without poking around checking things you suggested.
Therefore, I disabled revocation checking and was able to successfully get a new machine cert for the Sub-CA computer, as well as a new OCSP signing cert. However, now I've got a new problem, and not really sure if it is a problem at all. Note that I have not yet re-enabled revocation checking on the Sub-CA computer.
On the Sub-CA server I run PKI view. and it expands as follows:
Enterprise PKI
When I select Certificate Authority, it shows CDP Location #1 as expired on March 6.
When I select Enterprise CA is shows CDP Location #1 as OK with an expiration date of March 15.
Not understanding what's going on here, or how to fix it. Do I even need to fix anything? Maybe I just need to "wait it out" for a hour or more?
Appreciate the help, immensely.
Well, got the machine cert and the OSCP cert renewed. But now, when I re-enable revocation check, the certsvc service stops, and will not restart.
To originally disable revocation check I ran certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
To re-enable it I ran certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
Basically, just changed the plus sign to a minus sign. After executing the command, certsvc stops, and when I restart it, it won't stay running. If I disable revocation check again, then it stays running.
....aaaaaaand once again! I've managed to solve it, but not on my own. Another IT friend of mine suggested I check not just the expiration date of the CRL in question, but the effective date also. Doing so revealed what I should have seen and realized from the get-go. This particular CRL was good for a year, having expired just a few days ago. The only CRL with that long a period would have been issued by the offline Root CA. So............
Solution: When setting up my PKI environment, the CDP was manually published to the Subordinate CA for security reasons (the Root CA should be turned off most of the time). That being said, manually generating a new CRL from the Root CA, coping it over to the Subordinate CA's directory that is publishing the CRL, and restarting the Active Directory Certificate Services service did the trick for me.
To manually generate the CRL from the Root CA
Importing the CRL on the subordinate CA
Hi @Carl Burch
Thank you for your feedback.
I will put your answer here to be able to close your thread:
.aaaaaaand once again! I've managed to solve it, but not on my own. Another IT friend of mine suggested I check not just the expiration date of the CRL in question, but the effective date also. Doing so revealed what I should have seen and realized from the get-go. This particular CRL was good for a year, having expired just a few days ago. The only CRL with that long a period would have been issued by the offline Root CA. So............
Solution: When setting up my PKI environment, the CDP was manually published to the Subordinate CA for security reasons (the Root CA should be turned off most of the time). That being said, manually generating a new CRL from the Root CA, coping it over to the Subordinate CA's directory that is publishing the CRL, and restarting the Active Directory Certificate Services service did the trick for me.
To manually generate the CRL from the Root CA
Importing the CRL on the subordinate CA