CA server issue: "The revocation function was unable to check revocation because the revocation server was offline" Error 0x80092013

Question

_{Friday, February 28, 2014 5:38 PM}

My expertise with regards to Certificate Services is limited so bear with me please... I inherited a network with a single domain that has an Offline Root CA along with the online issuing CA. I first ran into problems when I tried to publish the New Certificate Revocation List; this usually gets done once a year. 

I started up the offline CA and generated a new CRL using CERTUTIL, then exported the file onto the issuing CA server and copied it to the WWWPKIpub folder, replacing the old one.  
On the issuing CA server, when I open Pkiview.msc to check that the new certificate has been accepted, I get an error message to say that the CA is currently offline.

On the CA MMC, it says that the RPC server is not listening and when I try to start the service, I get: "The revocation function was unable to check revocation because the revocation server was offline" Error 0x80092013.

Your help is much appreciated.

Marco S

All replies (22)

_{Tuesday, March 11, 2014 1:15 PM ✅Answered}

It turns out that the problem was with the authentication on the WWWPKIpub folder. I disabled Windows authentication and enabled anonymous authentication. As We'd never encountered this issue before, I suspect that a Windows update must have changed/reset to default those permissions.

Thank you all for your input.

Marco S

_{Friday, February 28, 2014 6:14 PM}

are root CA CRLs available (in pkiview.msc) for download and are valid?

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

_{Monday, March 3, 2014 8:52 AM}

The only item that appears in Pkiview.msc is the CA certificate. Everything else has an error against it because "the CA is currently offline or unavailable".

I don't actually see any reference at all to CRLs in Pkiview

On Certsrv, the Revoked certificates folder displays this error: "Results cannot be obtained from a stopped service".

The problem seems to be that I cannot start the Certificate Service.

Marco S

_{Monday, March 3, 2014 9:47 AM}

Hi,

Here is a similar thread for your reference, please go through it:

http://social.technet.microsoft.com/Forums/en-US/e1cd4ce1-9bcd-4b53-80b2-092e6607c648/the-revocation-function-was-unable-to-check-revocation-because-the-revocation-server-was-offline?forum=winserversecurity

In addition, please check below article to troubleshoot this issue:

How to verify CRL availability and validity and test certificate revocation

http://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=13

Regards,

Yan Li

Regards, Yan Li

_{Monday, March 3, 2014 10:00 AM}

and what about root CA in pkiview.msc? Maybe you can provide a screenshot?

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

_{Monday, March 3, 2014 10:38 AM}

Hi Yan Li,This is the output from the commands I found in the article you asked me to go through:

C:\Windows\system32>certutil -urlfetch -verify leafCertificate.cer
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
LoadCert(Cert) returned The system cannot find the file specified. 0x80070002 (W
IN32: 2)
CertUtil: -verify command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\Windows\system32>certutil -user -urlfetch -verify leafCertificate.cer
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
LoadCert(Cert) returned The system cannot find the file specified. 0x80070002 (W
IN32: 2)
CertUtil: -verify command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\Windows\system32>certutil -url leafCertificate.cer
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
CertUtil: -URL command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Could this be the reason the certificate service isn't starting?

Marco S

_{Monday, March 3, 2014 11:02 AM}

On Mon, 3 Mar 2014 10:38:34 +0000, Mark-199 wrote:

C:\Windows\system32>certutil -url leafCertificate.cer
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
CertUtil: -URL command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Could this be the reason the certificate service isn't starting?

You need to be pointing at a real file that actually exists.

Paul Adare - FIM CM MVP
Saying that XP is the most stable MS OS is like saying that
asparagus is the most articulate vegetable. -- Dave Barry

_{Monday, March 3, 2014 11:10 AM}

I can see the old CRL certificates when I go to Enterprise PKI > Manage AD containers > CDP containers...
How can I replace those certificates with thee ones I generated on the off-line root CA?

Thanks

Marco S

_{Monday, March 3, 2014 5:25 PM}

Hi Paul,

How can I point the CA to the actual file location?

Thanks

Marco S

_{Monday, March 3, 2014 5:57 PM}

On Mon, 3 Mar 2014 17:25:06 +0000, Mark-199 wrote:

How can I point the CA to the actual file location?

I'm not talking about doing this for the CA, I'm talking about your
certutil command. The results that you posted quite clearly indicate that
the file you're attempting to verify simply doesn't exist.

Paul Adare - FIM CM MVP
Yea, tho I walk thru the valley of the shadow of clues, I shall fear no
luser, for Thou lart with me, Thy chicken and Thy manual, they comfort me.
-- Dave Aronson

_{Monday, March 3, 2014 8:49 PM}

Ok, the file does exist; I copied it into the WWWPKIpub folder; it's is the file I copied from the CA Root server to the issuing CA server.
This is what I am trying now:

E:\certutil -dspublish -f rootca.crt
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
Could not load Certificate or CRL from file (The system cannot find the file spe
cified. 0x80070002 (WIN32: 2))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Marco S

_{Monday, March 3, 2014 8:54 PM}

On Mon, 3 Mar 2014 20:49:59 +0000, Mark-199 wrote:

E:\certutil -dspublish -f rootca.crt
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
Could not load Certificate or CRL from file (The system cannot find the file spe
cified. 0x80070002 (WIN32: 2))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

It doesn't exist at the location where you are running certutil from.
Certutil isn't going to be able to automatically find the certificate. This
isn't a certificate services issue, this is basic command prompt operation.
If you're running a command that needs a physical file to operate on, you
need to point the command to the actual file.

Paul Adare - FIM CM MVP
"The Computer made me do it." -- BSD fortune file

_{Monday, March 3, 2014 9:06 PM}

Thanks

I thought certutil looked in wwwpkipub by default... this is the latest result:
E:\certutil -dspublish -f "D:\WWWPKIpub\TLMI Root CA.crl"
A required CRL extension is missing
CertUtil: -dsPublish command FAILED: 0x80070490 (WIN32: 1168)
CertUtil: Element not found. 

It seems there is still something missing...

Marco S

_{Tuesday, March 4, 2014 8:55 AM}

From what I see, you don't need to publish CRLs to Active Directory, because there are no references to the location. You must publish CRT and CRL files to web server where your pki website resides.

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

_{Tuesday, March 4, 2014 7:50 PM}

The web server is the same server as the CA server.

Can anyone help me with this? The problem I am experiencing is: "The revocation function was unable to check revocation because the revocation server was offline". I am unable to do anything in the certsrv mmc.

Thanks

Marco S

_{Tuesday, March 4, 2014 9:00 PM | 1 vote}

Read my previous reply. You have to copy root CA's CRT and CRL files to web server. Look at pkiview.msc, there are two URLs. They must point to a corresponding CA files.

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

_{Wednesday, March 5, 2014 3:30 PM}

I checked it and the location seems to be correct; the webfolder points to the physical location of those files:

Requested URL:    http://pki.*********.org:80/pki
Physical Path:       D:\WWWPKIpub

Here is a screenshot again:

Initially, I found that the website couldn't be browsed:
The Web server is configured to not list the contents of this directory."
I have since enabled it and can now browse to that directory; the new crl file is there and the root CA certificate is there too (they can both be opened from that location).
I restarted the IIS service, yet the "Unable to download" message is still showing.
Also the CA service can still not be started.

Any other suggestions please?

Marco S

_{Wednesday, March 5, 2014 4:17 PM}

On Wed, 5 Mar 2014 15:30:42 +0000, Mark-199 wrote:

I checked it and the location seems to be correct; the webfolder points to the physical location of those files:

Requested URL:    http://pki.*********.org:80/pki
Physical Path:       D:\WWWPKIpub

Here is a screenshot again:<http://social.technet.microsoft.com/Forums/getfile/427673>

I still think this problem is cause by the fact that the CA service won't start.
Any other ideas please?

What happens when you try to use that URL in a browser?

Paul Adare - FIM CM MVP
"Opinions are like assholes, I'll let you know when I want yours."
-- David Cross and/or Bob Odenkirk

_{Wednesday, March 5, 2014 4:47 PM}

Interestingly, I can only browse to that address via "IP address/pki". If I use the name "pki.*********.***/pki" a Windows authentication prompt
appears and it doesn't matter what account I try, it won't allow me to logon.

Marco S

_{Wednesday, March 5, 2014 4:50 PM}

On Wed, 5 Mar 2014 16:47:13 +0000, Mark-199 wrote:

Interestingly, I can only browse to that address via "IP address/pki". If I use the name "pki.*********.***/pki" a Windows authentication prompt
appears and it doesn't matter what account I try, it won't allow me to logon.

You'll need to resolve the problems with IIS then.

Paul Adare - FIM CM MVP
To clean and uninfected by the Empire remain, Emacs you use must.
-- Tollef Fog Heen

_{Wednesday, March 5, 2014 6:26 PM}

Interestingly, I can only browse to that address via "IP address/pki". If I use the name "pki.*********.***/pki" a Windows authentication prompt
appears and it doesn't matter what account I try, it won't allow me to logon.

Marco S

disable authentication for the web site. I agree with Paul, you have to sort things with IIS first.

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

_{Friday, March 7, 2014 3:51 PM}

Ok, I'll consult with an IIS specialist; even after changing the permissions on the WWWPKIpub folder, I am still prompted by what looks like Windows Integrated Integration to logon but unable to logon with an account that has explicit full permissions on that folder.
If I browse to that folder via IP address however, it shows all the contents...

Marco S