Difference between revisions of "Windows certificate authority subca offline root"
Jump to navigation
Jump to search
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | # Add New CA Templates | ||
| + | Certificate Templates are stored in the Active Directory so Windows CAs can share and use the certificate templates but you still need to add them to the CA | ||
| + | |||
| + | ``` | ||
| + | Get-CATemplate | ||
| + | ``` | ||
| + | - You need to click on your Certificate Authority -> <name> -> Certificate Templates -> New -> Certificate Template to Issue or click Manage (manages AD Templates duplicate and modify) | ||
| + | |||
| + | |||
| + | # revocation server was offline issues | ||
| + | ``` | ||
| + | Active Directory Certificate Services denied request 6 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 | ||
| + | ``` | ||
| + | |||
| + | https://learn.microsoft.com/en-us/answers/questions/339811/enable-revocation-checking-on-subordinate-ca | ||
https://learn.microsoft.com/en-us/answers/questions/1320695/the-revocation-function-was-unable-to-check-revoca | https://learn.microsoft.com/en-us/answers/questions/1320695/the-revocation-function-was-unable-to-check-revoca | ||
| Line 12: | Line 27: | ||
Certificate Authority (Local) and right click and start Certificate Authority service and it should come up green | Certificate Authority (Local) and right click and start Certificate Authority service and it should come up green | ||
| + | |||
| + | |||
| + | # You can just disable the rev check as well. This is guaranteed to work | ||
| + | - https://stealthpuppy.com/resolving-issues-starting-ca-offline-crl/ | ||
| + | |||
| + | |||
| + | Ignore if offline | ||
| + | ``` | ||
| + | certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE | ||
| + | ``` | ||
| + | |||
| + | Re-enable offline check | ||
| + | ``` | ||
| + | certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE | ||
| + | ``` | ||
Latest revision as of 21:35, 6 December 2023
Add New CA Templates
Certificate Templates are stored in the Active Directory so Windows CAs can share and use the certificate templates but you still need to add them to the CA
Get-CATemplate
- You need to click on your Certificate Authority ->
-> Certificate Templates -> New -> Certificate Template to Issue or click Manage (manages AD Templates duplicate and modify)
revocation server was offline issues
Active Directory Certificate Services denied request 6 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
The revocation function was unable to check revocation because the revocation server was offline
Fix - Turn on rootca1 and copy *.crl files to subca(s)
scp rootca1.example.com:\Windows\System32\CertSrv\CertEnroll ./ scp CertEnroll\*.crl ica1.example.com:\Windows\System32\CertSrv\CertEnroll\
Certificate Authority (Local) and right click and start Certificate Authority service and it should come up green
You can just disable the rev check as well. This is guaranteed to work
Ignore if offline
certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
Re-enable offline check
certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE