Offline Root CA issue

#1

I have setup a standalone offline root CA (part of the domain), and a
subordinate online CA server in an Windows 2003 Server environment (virtual
servers). I have exported the CRL from the offline root into the online
server, after modifying the path to point to the new CRL Path. I was able to
issue Certs for my users, based on this hierarchy, and brought the root CA
offline right after.
Now that the offline CA is offline, I am not able to issue certs anymore,
and i get this error message on my cert server:
__________________________
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 100
Date: 10/29/2007
Time: 3:24:07 PM
User: N/A
Computer: ADS1IDS
Description:
Certificate Services did not start: Could not load or verify the current CA
certificate. subordinate The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613).
__________________________

Even if I bring the root CA online, it seems that the process has been
broken, and needs to be troubleshooted or re-created.
I found out a document about the best practices in implementing an IKE, and
it states that the standalone root CA should not be part of the domain. Do
you think this might be a reason for the problem i am facing?

Also, what is the best way to clean-up previously created certs that were
replicated across the domain controllers in my environment?

Thanks
--
Face

#2

Hi Face,

Did you ever find the solution to your problem? I'm hitting the same issue.

Thanks,
Bill

"Face" wrote:

Quote:

I have setup a standalone offline root CA (part of the domain), and a
subordinate online CA server in an Windows 2003 Server environment (virtual
servers). I have exported the CRL from the offline root into the online
server, after modifying the path to point to the new CRL Path. I was able to
issue Certs for my users, based on this hierarchy, and brought the root CA
offline right after.
Now that the offline CA is offline, I am not able to issue certs anymore,
and i get this error message on my cert server:
__________________________
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 100
Date: 10/29/2007
Time: 3:24:07 PM
User: N/A
Computer: ADS1IDS
Description:
Certificate Services did not start: Could not load or verify the current CA
certificate. subordinate The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613).
__________________________

Even if I bring the root CA online, it seems that the process has been
broken, and needs to be troubleshooted or re-created.
I found out a document about the best practices in implementing an IKE, and
it states that the standalone root CA should not be part of the domain. Do
you think this might be a reason for the problem i am facing?

Also, what is the best way to clean-up previously created certs that were
replicated across the domain controllers in my environment?

Thanks
--
Face

#3

Hi BillL

I have worked my way around that, yes, it was a CRL that has expired and
because of that the CA went offline. I had to change the validity of the CRL
on the subordinate CA and that allowed me to turn the CA back on, and issue
certs again. This is only related to errors similar to the one I have
included in my previous email, with Event ID 100.
Just to let you know, I also decided to re-build the whole root and
subordinate CA, as standalone non-domain servers, and based on a "security
policy" document that describes all the parameters and variables that need to
be set/monitored once the configuration is over.
Hope that helps.
Regards,
Face
--
Face

"BillL" wrote:

Quote:

Hi Face,

Did you ever find the solution to your problem? I'm hitting the same issue.

Thanks,
Bill

"Face" wrote:

I have setup a standalone offline root CA (part of the domain), and a
subordinate online CA server in an Windows 2003 Server environment (virtual
servers). I have exported the CRL from the offline root into the online
server, after modifying the path to point to the new CRL Path. I was able to
issue Certs for my users, based on this hierarchy, and brought the root CA
offline right after.
Now that the offline CA is offline, I am not able to issue certs anymore,
and i get this error message on my cert server:
__________________________
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 100
Date: 10/29/2007
Time: 3:24:07 PM
User: N/A
Computer: ADS1IDS
Description:
Certificate Services did not start: Could not load or verify the current CA
certificate. subordinate The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613).
__________________________

Even if I bring the root CA online, it seems that the process has been
broken, and needs to be troubleshooted or re-created.
I found out a document about the best practices in implementing an IKE, and
it states that the standalone root CA should not be part of the domain. Do
you think this might be a reason for the problem i am facing?

Also, what is the best way to clean-up previously created certs that were
replicated across the domain controllers in my environment?

Thanks
--
Face

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Offline Root CA issue

Dotnet Security microsoft.public.dotnet.security

Offline Root CA issue - 10-29-2007 , 05:30 PM

RE: Offline Root CA issue - 01-03-2008 , 12:31 PM

RE: Offline Root CA issue - 01-03-2008 , 03:14 PM