Windows certificate authority subca offline root

From UVOO Tech Wiki
Revision as of 21:35, 6 December 2023 by Busk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Add New CA Templates

Certificate Templates are stored in the Active Directory so Windows CAs can share and use the certificate templates but you still need to add them to the CA 

Get-CATemplate
  • You need to click on your Certificate Authority -> -> Certificate Templates -> New -> Certificate Template to Issue or click Manage (manages AD Templates duplicate and modify)

revocation server was offline issues

Active Directory Certificate Services denied request 6 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

https://learn.microsoft.com/en-us/answers/questions/339811/enable-revocation-checking-on-subordinate-ca

https://learn.microsoft.com/en-us/answers/questions/1320695/the-revocation-function-was-unable-to-check-revoca 

The revocation function was unable to check revocation because the revocation server was offline

Fix - Turn on rootca1 and copy *.crl files to subca(s) 

scp rootca1.example.com:\Windows\System32\CertSrv\CertEnroll ./
scp CertEnroll\*.crl ica1.example.com:\Windows\System32\CertSrv\CertEnroll\

Certificate Authority (Local) and right click and start Certificate Authority service and it should come up green

You can just disable the rev check as well. This is guaranteed to work

Ignore if offline 

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Re-enable offline check 

certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
Retrieved from "https://tech.uvoo.io/index.php?title=Windows_certificate_authority_subca_offline_root&oldid=4776"