User request certificate : 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

Borut Puhar 66 Reputation points
2021-01-13T10:17:59.157+00:00

We have new CA in AD.
User try to request certificate mmc-> personal…-> request new certificate -> AD Enrol… Standard task.
After choosing template, user receive an error : URL:**********-CA
Error: The revocation function was unable to check revocation, because revocation server was offline.

CA server is standalone server CDP / CRL is pointing to LDAP. If I run certutil -URL "ldap:///CN=****?certificateRevocationList?base?objectClass=cRLDistributionPoint"
certutil -URL "ldap:///CN*****?deltaRevocationList?base?objectClass=cRLDistributionPoint"

and click Retrieve I see successful.
I have verify with ADSIEDIT if path is there and if permission are there and looks ok.
In Wireshark I see communication. But I see one event : 000004d: LDAP Error56242-image.png

Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2021-01-14T03:40:32.447+00:00

    Hello @Borut Puhar ,

    Thank you for posting here.

    Based on the description, I understand you have one-tier CA (that is one offline standalone root CA), is that right?

    1.Could you please logon this standalone root CA, and then navigate to Revoked Certificates and right click Revoked Certificates container\All Tasks\Publish\New CRL.
    56451-re1.png

    2.Then find the crl file under C:\Windows\System32\CertSrv\CertEnroll on this CA server.
    56330-re2.png

    3.Copy the crl file in step 2 to one DC and republish it to AD.
    On the DC, run command certutil -dspublish -f <the full name of crl file> <CAname>

    Would you please confirm:
    1.What is the CRL publish interval about your CA server?
    56360-re5.png

    2.Do you configure the HTTP type CRL?
    56471-re6.png

    Best Regards,
    Daisy Zhou

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.