ADCS configuration

I need some help configuring ADCS with an offline root CA and a issuing CA.

My main problem is when I try to install the certificate issued by the root CA into the issuing CA. It installs fine but whenever I attempt to start the ADCS service it gives me the following error:

"the revocation function was unable to check revocation because the revocation server was offline"

I've tried to troubleshoot this on my own several times and unable to figure out a solution. I've used both the guides below and both produce the same error.

Active Directory Certificate Services Step-by-Step Guide
Build an Offline Root CA with a Subordinate CA « Marc Kean

Running the following command does get rid of the error but I've read this is not the recommended solution to a problem like this.
Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

I'm really not sure what I'm doing wrong. I understand that it has to do with CDP but I'm unsure how to go about correcting the error. Any help would be appreciated.

Find more posts tagged with

Comments

undomiel

I would recommend going through the guide here: Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation - Ask the Directory Services Team - Site Home - TechNet Blogs

Lots of great and detailed info in it. The problem you're seeing here looks like it can't find a CRL from the root server so you'll want to check on your CRL publication paths and how you have them configured.

method115

I checked the CRL distribution point and it is listed as:

http://server3/certenroll/<caname><crlnamesuffix><deltacrlallowed>.crl

If I put that link into my internet explorer it doesn't work. If I put http://server3/certenroll it works after I enabled directory browsing.

I'd like to try and get this error solved especially because ADCS is supposed to be a big part of the 70-640 I'd like to understand what I did wrong in the setup.

elusus

Is this the first time you're setting it up on the machine?

undomiel

Did you install the crl copied over from the root ca with the root certificate as well?

method115

Yes this is my first time setting it up on these machines. I didn't copy the CRL over from the root machine, I'm guessing this is how you manually move the CRL over from the root CA? I read about doing it that way but decided to do it the other way that was explained to me. Basically you go into the rootca and edit the CDP under the extentions tab (Certification Authority -> RootCa-name -> right-click - properties -> extensions tab -> CDP) I added a URL pointing to my subCA.

Maybe I'll try to follow the guide in the MS books. I think it worked when I used that lab. I just wanted to see the different ways you can set this up.

method115

Figured everything out I just manually copied my CRL/CRT files from my offline root CA over to my issuing CA. This way is better anyways because the Root CA is not supposed to ever be put online anyways and doing it like that makes sure it never has to be.