Share via

ADCS errors after migrating the service to new servers

Anonymous
2023-10-06T18:06:33+00:00

I have a 2-tier PKI Certificate Authority ADCS infrastructure in 2 domains that I am migrating from Windows 2012R2 servers to Windows 2022 Servers. I am following the article (https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-active-directory-certificate-service-from/ba-p/2328766?WT.mc_id=modinfra-27462-abartolo). After migrating the offline Root CA and Enterprise Issuing CA in the one domain by restoring the backup and registry from the original servers, I am receiving the following error and I cannot start the CA Service. I receive the error.: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

I had to execute "certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE" to get past this but I need to resolve the CRL file issue. I published a new CRL file from the new offline Root CA and copied it to the C:\Windows\System32\CertSrv\CertEnroll folder on the Issuing Server but it didn't resolve the problem.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-09T02:25:38+00:00

    Hello Steve March1,

    Thank you for posting in Microsoft Community forum.

    1.Based on the description above, I understand now you can start the CA service in new CA server, am I right?

    2.Where did you see "the CRL file issue"? Via PKIview.msc console or any location? On Root CA or issuing CA?

    3.Would you please describe the detailed the CRL file issue so that we can provide further help?

    4.Have you finished the 2-tier PKI migration?

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2023-10-09T13:36:31+00:00

    Thank you for your response.

    1. It is only functioning because I ran "certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE" to get past the revocation check but I need to resolve the CRL file issue and the CRL problem still exists.
    2. I get the CRL error when I try to start the issuing CA service. PKIview reports errors as well that I cannot resolve. PKIView reports "unable to download" on both root CA and issuing sub CA.
    3. I have migrated both offline root CA and Enterprise issuing CA. The issuing CA will not start properly do to the error described in my posts.
    4. Yes but with a number of issues described. I am receiving the following error when I try to start the CA Service: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

    Thank you for your help.

    0 comments
  3. Anonymous
    2023-10-10T15:13:44+00:00

    Thanks for the response.

    1. They are all in C:\Windows\system32\CertSrv\CertEnroll on the Issuing CA.
    2. I checked "Publish Delta CRLs to this location" and I have less errors in PKIVIEW.MSC now. But I am still getting errors AIA Location and CDP Location of the Root CA when I run PKIVEW.MSC on the issuing server. The error is "Unable to Download" and location is still using the crt for the old Root CA. How do I change this location to use the new Root CA's hostname?
    3. I was missing the CRT of the Root CA in the Enroll folder of the issuing server. After I copied that over, that problem is now resolved.
    0 comments
  4. Anonymous
    2023-10-10T05:31:25+00:00

    Hello Steve March1,

    Thank you for your reply.

    The issue you mentioned one problem that are difficult to troubleshoot or solve. However, you can try to check information below.

    1.What locations did you configure for AIA and CDP?

    For example:
    local disk location (C:\Windows\system32\CertSrv\CertEnroll)
    LDAP location
    http location

    2.Which entry displayed error "unable to download" via PKIview.msc.? You should check it.

    On the root CA or issuing CA?
    LDAP entry or Http entry on PKIview.msc?

    2.Usually, the issue may be caused by wrong configurations on CA properties (if its CRL on root CA, you can check the CRL setting on root CA, if its CRL on issuing CA, you can check CRL setting on issuing CA).

    1. Or you need to check shared permissions and NTFS permissions on shared folder on IIS server that hosted http location.

    4.Have you put all the .crt files and .crl files about root CA and issuing CA to http location on IIS server?

    You can check them based on the link below.

    AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

    Best Regards,
    Daisy Zhou

    0 comments
  5. Anonymous
    2023-10-11T06:55:49+00:00

    Hello Steve March1,

    Thank you for your reply.

    You can check the AIA and CDP configurations via root CA Properties and registry on root CA.
    For more information, please check the part: Perform Post Installation Configuration for Root CA-->Configure the AIA and CDP

    AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

    Best Regards,
    Daisy Zhou

    0 comments