Error issuing certificates from WS03 cert svc

---

• From: Thomas Godsk Jørgensen <thomas@xxxxxxxxx>
• Date: Tue, 17 Apr 2007 22:53:07 +0200

---

Hi,

I'm having trouble with issuing certificates from a Windows Server 2003 enterprise (subordinate) issuing CA. The CA rejects requests with a warning in the Windows Application Log (Event ID: 53, Source: CerSvc): "Certificate Services denied request 932 because: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for <here comes specific cert subject info>. Additional information: Error Constructing or Publishing Certificate"

The setup is a three-level hierarchy with offline policy and root CAs set-up according to Microsoft's best practice PKI white paper and Brian Komar's MSPress PKI book. All CAs' CRLs are published on a web server (http) and in AD (ldap). The policy CA has a revoked CA cert superseeded by a renewed valid CA cert. The issuing CA has one revoked CA cert superseeded by two renewed valid CA certs. All certs are likewise published on the web server and in AD, but revoked certs have been removed from the web server. Validity of cert and trust chain of issuing CA's valid certs has been successfully verified with certutil -verify -urlfetch <CA_certs>.

Trouble began after root and policy CA CRLs expired and were renewed too late. Now, all CRLs are current/valid as verified using certutil. Still, the issuing CA denies requests with the above error message - except in a very few apparent random cases.

Anybody experienced this or has any ideas?

Thanks very much.


Best regards,
Thomas Godsk Joergensen
thomas@xxxxxxxxx

.

---

• Follow-Ups:
  • Re: Error issuing certificates from WS03 cert svc
    • From: Brian Komar

• Prev by Date: Re: remotely administering Bastion servers
• Next by Date: Re: how can I make money off my ultimate security solution for servers
• Previous by thread: Security on DFS Links?
• Next by thread: Re: Error issuing certificates from WS03 cert svc
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Urgent !- Certificate Issue on IIS 5 with ISA server and OWA ... Do I need to do export the .pfx file to OWA as well ... > THe ISA server is supposedly redirecting requests to the right IP .. ... > In MMC on the server there is only one cert .. ... (microsoft.public.inetserver.iis.security) Re: Requesting web page from SSL site fails ... > The main reason SSL requests with HttpWebRequest fail is something wrong ... > with the server certificate (name on cert doesn't match the hostname ... > the server may be requesting one. ... (microsoft.public.dotnet.framework.aspnet) Re: Requesting web page from SSL site fails ... > The main reason SSL requests with HttpWebRequest fail is something wrong ... > with the server certificate (name on cert doesn't match the hostname ... > the server may be requesting one. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Requesting web page from SSL site fails ... but fixing the cert is always best. ... >> The main reason SSL requests with HttpWebRequest fail is something wrong ... It is less likely that you need a client certificate, ... >> the server may be requesting one. ... (microsoft.public.dotnet.framework.aspnet) Re: Requesting web page from SSL site fails ... but fixing the cert is always best. ... >> The main reason SSL requests with HttpWebRequest fail is something wrong ... It is less likely that you need a client certificate, ... >> the server may be requesting one. ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2007-04