Results 1 to 4 of 4

Thread: Certificates trouble: CRL not available(?) and "revocation server offline" error

  1. #1
    Join Date
    Sep 2005
    Posts
    82

    Certificates trouble: CRL not available(?) and "revocation server offline" error

    I have recently installed EntIssuing and EntRoot CAs for the test environment that I am gonna do. They both are kept online and afterwards I have configured it like below:

    For EntRoot, I have used the below
    • I have left CDP and AIA locations on default.
    • All the base CRL publication is of 1 week, and there are no Delta CRLs.
    • I have also deleteted all certificate tmpls from CA>Certificate Templates except Subordinate Certification Authority.


    For EntIssuing, I have used the below
    • I have left CDP and AIA locations on default
    • All the base CRL publication is 1 Days, and there are Delta CRL publication at every 6 hours, and AD replication is 2 hours
    • I have also created new FirmaEFS cert tmpl upon the Basic EFS, on its Properties>Superceded Templates tab add Basic EFS, and after that deleted Basic EFS from CA>Certificate Templates.

    The problem now is that I got some certificates which were based on FirmaEFS cert tmpl on my client pc for 2 different users by using the Certificates snap-in console. But after if i try to use them for encryption then I get some kind of error saying that "revocation server offline". Is there any fix to this problem?

  2. #2
    Join Date
    Jul 2006
    Posts
    339

    Re: Certificates trouble: CRL not available(?) and "revocation server offline" error

    You could first of all try to validate the AIA and CDP extensions and then try to run the pkiview.msc from the resource tool kits and after that you can check that *all* AIA and CDP points are considered as Valid or not, considering the expiring is alright too.

  3. #3
    Join Date
    May 2006
    Posts
    91
    Can you try to disable the function that usually checks for the revocation on all the certificates in the PKI hierarchy with the below command on the CA:

    certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

    It will then returns with the following

    C:\>certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\SEASUB0\CRLFlags

    Old Value:
    CRLFlags REG_DWORD = 2
    CRLF_DELETE_EXPIRED_CRLS -- 2

    New Value:
    CRLFlags REG_DWORD = a (10)
    CRLF_DELETE_EXPIRED_CRLS -- 2
    CRLF_REVCHECK_IGNORE_OFFLINE -- 8
    CertUtil: -setreg command completed successfully.

    After that try to reboot the CA.

  4. #4
    Join Date
    Sep 2005
    Posts
    138

    Re: Certificates trouble: CRL not available(?) and "revocation server offline" error

    I think that the root certificate are not suppose to have a CDP listed in it because there is not point going through to see if the root CA certificate has been revoked again. As per the RFC, I have seen that an application is suppose to stop revocation by checking one level below the top of the trust chain and all.

Similar Threads

  1. Replies: 6
    Last Post: 21-06-2013, 10:56 AM
  2. Getting "printer is offline" error message
    By Ramona19 in forum Hardware Peripherals
    Replies: 5
    Last Post: 04-06-2011, 08:32 AM
  3. "working online/offline" error with outlook express
    By D_chapple in forum Windows Software
    Replies: 5
    Last Post: 29-12-2009, 09:53 AM
  4. Revocation server was offline error
    By Walter89 in forum Software Development
    Replies: 3
    Last Post: 09-06-2009, 11:35 AM
  5. Offline Files gives "Access is Denied" error
    By chimaan in forum Windows Vista Network
    Replies: 3
    Last Post: 06-08-2008, 11:53 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,651,537.28633 seconds with 17 queries