revocation server was offline 0x80092013

-

hey experts !

lately have desided test sccm integrated intel vpro , while installing certificates needed , ran problem : 

im installing 2 2012r2 servers

1 - root ca

2-issuing ca

while im trying install root ca certificate on issuing ca server im having error :

and service not start...

when run "certutil -f -urlfetch -verify certificate.cer" command :

issuer:
    cn=root ca
    dc=domain
    dc=domain
  name hash(sha1): 76dc5f91bdee41fce9bc3f078e3b5a9a4096c982
  name hash(md5): 028f9d0a45e71070624798b55e641a22
subject:
    cn=issuing ca
    dc=domain
    dc=domain
  name hash(sha1): b337b89ca342a554f66d1b008382705b2a5ce757
  name hash(md5): 7db91b744f03b05052b80bbe6c1448bf
cert serial number: 16000000024f48313fe3cbe647000000000002

dwflags = ca_verify_flags_allow_untrusted_root (0x1)
dwflags = ca_verify_flags_ignore_offline (0x2)
dwflags = ca_verify_flags_full_chain_revocation (0x8)
dwflags = ca_verify_flags_console_trace (0x20000000)
dwflags = ca_verify_flags_dump_chain (0x40000000)
chainflags = cert_chain_revocation_check_chain (0x20000000)
hcce_local_machine
cert_chain_policy_base
-------- cert_chain_context --------
chaincontext.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
chaincontext.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
chaincontext.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)

simplechain.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
simplechain.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
simplechain.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)

certcontext[0][0]: dwinfostatus=102 dwerrorstatus=1000040
  issuer: %root ca distinguished name%
  notbefore: 11/08/2016 15:20
  notafter: 11/08/2021 14:59
  subject: %issuing ca distiguished name%
  serial: 16000000024f48313fe3cbe647000000000002
  template: subca
  303b7896e5124edafcdbe621b1c4c2c34b23305f
  element.dwinfostatus = cert_trust_has_key_match_issuer (0x2)
  element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
  element.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
  element.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)
  ----------------  certificate aia  ----------------
  failed "aia" time: 0
    error retrieving url: internal server error (500). 0x801901f4 (-2145844748 http_e_status_server_error)
    http://issuingca/domain/domain/certdata/rootca.domain.domain_rootca.crt

  ----------------  certificate cdp  ----------------
  failed "cdp" time: 0
    error retrieving url: internal server error (500). 0x801901f4 (-2145844748 http_e_status_server_error)
    http://issuingca.domain.domain/certdata/rootca.crl

  ----------------  certificate ocsp  ----------------
  no urls "none" time: 0
  --------------------------------

certcontext[0][1]: dwinfostatus=10c dwerrorstatus=0
  issuer: %root ca distinguished name%

notbefore: 11/08/2016 14:49
  notafter: 11/08/2021 14:59
  subject: %distinguished ame%
  serial: 24fced066010599045e6b62bcfd0b703
  template: ca
  fea78351f5aba76cebd3f6c221e763057bd874ce
  element.dwinfostatus = cert_trust_has_name_match_issuer (0x4)
  element.dwinfostatus = cert_trust_is_self_signed (0x8)
  element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
  ----------------  certificate aia  ----------------
  no urls "none" time: 0
  ----------------  certificate cdp  ----------------
  no urls "none" time: 0
  ----------------  certificate ocsp  ----------------
  no urls "none" time: 0
  --------------------------------

exclude leaf cert:
  303b7896e5124edafcdbe621b1c4c2c34b23305f
full chain:
  b830fed31c014f8f003624b045a964e514d5860e
------------------------------------
verified issuance policies: none
verified application policies: all
cert ca certificate

error: verifying leaf certificate revocation status returned revocation function unable check revocation because revocation server offline. 0x80092013 (-2146885613 crypt_e_revocation_offline)
certutil: revocation function unable check revocation because revocation server offline.

certutil: -verify command completed successfully.

any ?




hi,

can telnet client port 80 on issuingca.domain.domain?

to more information on http error 500, you'll need check iis logs , local event viewer more information on nature of application fault. favour former second error code quite relevant (i.e. @ end of iis logfile lines, you'll find 4 numbers; first being 500 major error code, while next 1 provide more context).

as aside, shouldn't have flat name in aia url host (unless that's search , replace issue in post). it's not won't work, it's not practice.

cheers,
lain



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more