Re: Error issuing certificates from WS03 cert svc

Your problem was the removal of the revoked certificates. By removing the
certificates, you will get the message that regarding unable to determine
the revocation information

When you use certutil -verify -urlfetch, do it against a leaf or end entity
certificate.
Also, what does PKiView.msc show?
brian

On Tue, 17 Apr 2007 22:53:07 +0200, Thomas Godsk Jørgensen wrote:

Hi,

I'm having trouble with issuing certificates from a Windows Server 2003
enterprise (subordinate) issuing CA. The CA rejects requests with a warning
in the Windows Application Log (Event ID: 53, Source: CerSvc): "Certificate
Services denied request 932 because: The revocation function was unable to
check revocation because the revocation server was offline. 0x80092013
(-2146885613). The request was for <here comes specific cert subject info>.
Additional information: Error Constructing or Publishing Certificate"

The setup is a three-level hierarchy with offline policy and root CAs set-up
according to Microsoft's best practice PKI white paper and Brian Komar's
MSPress PKI book. All CAs' CRLs are published on a web server (http) and in
AD (ldap). The policy CA has a revoked CA cert superseeded by a renewed
valid CA cert. The issuing CA has one revoked CA cert superseeded by two
renewed valid CA certs. All certs are likewise published on the web server
and in AD, but revoked certs have been removed from the web server. Validity
of cert and trust chain of issuing CA's valid certs has been successfully
verified with certutil -verify -urlfetch <CA_certs>.

Trouble began after root and policy CA CRLs expired and were renewed too
late. Now, all CRLs are current/valid as verified using certutil. Still, the
issuing CA denies requests with the above error message - except in a very
few apparent random cases.

Anybody experienced this or has any ideas?

Thanks very much.


Best regards,
Thomas Godsk Joergensen
thomas@xxxxxxxxx
.

Relevant Pages

  • Re: CDP location
    ... I created the cert for user 1 with the default sub CA settings and published ... At this point I removed the ISA rule to publish the webserver and created a ... Seems to me that when revocation checking it should go to the ... One between the ISA and the Web server and ...
    (microsoft.public.security)
  • Re: SSL and Client Authentication
    ... First I go on my client and I do a browser request from a CA, ... After issuing a cert. ... install (where I verify that this certification was installed ... > It definitely does not sound like the right way to do client certificates. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Its Either Gonna Be
    ... Nope, stupid certificates like the Microsoft certifications, PMI, ... I worked for Oracle as a senior DBA consultant for four years. ... with a cert. ... She's working as a manager of program managers and managers about 15 to ...
    (rec.sport.football.college)
  • Re: certificate revocation doesnt work
    ... Also we did get the certificate installed and working using OWA. ... I do understand that using OWA and ISA2000 revocation checking doesn't work. ... >> Why isn't this kept in AD so when a user loogs in the cert is marked as ... >>> send the signed mail, not the user who is going to receive the mail. ...
    (microsoft.public.win2000.security)
  • Re: [Full-Disclosure] PGP vs. certificate from Verisign
    ... PGP vs. certificate from Verisign ... > that IE had no way of checking the revocation status, ... "The certificates could be used to sign programs, ActiveX controls, Office ... current Certificate Revocation List (CRL). ...
    (Full-Disclosure)