User request certificate : 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

Question

We have new CA in AD.
User try to request certificate mmc-> personal…-> request new certificate -> AD Enrol… Standard task.
After choosing template, user receive an error : URL:**********-CA
Error: The revocation function was unable to check revocation, because revocation server was offline.

CA server is standalone server CDP / CRL is pointing to LDAP. If I run certutil -URL "ldap:///CN=****?certificateRevocationList?base?objectClass=cRLDistributionPoint"
certutil -URL "ldap:///CN*****?deltaRevocationList?base?objectClass=cRLDistributionPoint"

and click Retrieve I see successful.
I have verify with ADSIEDIT if path is there and if permission are there and looks ok.
In Wireshark I see communication. But I see one event : 000004d: LDAP Error

Answer 1

Hello @Borut Puhar ,

Thank you for posting here.

Based on the description, I understand you have one-tier CA (that is one offline standalone root CA), is that right?

1.Could you please logon this standalone root CA, and then navigate to Revoked Certificates and right click Revoked Certificates container\All Tasks\Publish\New CRL.

2.Then find the crl file under C:\Windows\System32\CertSrv\CertEnroll on this CA server.

3.Copy the crl file in step 2 to one DC and republish it to AD.
On the DC, run command certutil -dspublish -f <the full name of crl file> <CAname>

Would you please confirm:
1.What is the CRL publish interval about your CA server?

2.Do you configure the HTTP type CRL?

Best Regards,
Daisy Zhou