ADCS intermediate CA unable to check revocation of status of its own certificate

0

We have a root certificate authority made with OpenSSL. Its file-based, runs on RHEL, uses "serial" and "index.txt" etc.

Now in a lab environment we have added an intermediate standalone certificate authority using Active Directory Certificate Services, standalone (i.e. not an AD or domain member), running on Windows Server 2012 (all latest updates applied). We signed the intermediate CA with our root and ADCS is up and running successfully. But what we're finding is that we actually cannot issue any certs from this intermediate CA.

When we use the management console and attempt to issue a requested cert, the cert ends up in "Failed Requests" with the message:

Active Directory Certificate Services denied request 4 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).  
The request was for CN=obelisk.sand.idfconnect.lan, OU=IDFC, O="IDF Connect, Inc.", L=Wilmington, S=Delaware, C=US.  Additional information: Error Constructing or Publishing Certificate  Resubmitted by OBELISK\Administrator

If I look at the request, I can see the is defined as:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=file:////obelisk.sand.idfconnect.lan/CertEnroll/Obelisk Intermediate CA.crl (file:////obelisk.sand.idfconnect.lan/CertEnroll/Obelisk%20Intermediate%20CA.crl)

If I use IE to browse that file:// url, it pops open Windows Explorer, where I see the files I'd expect, i.e.

  • nsrev_Obelisk Intermediate CA.asp
  • Obelisk Intermediate CA.crl
  • Obelisk Intermediate CA+.crl
  • obelisk.sand.idfconnect.lan_Obelisk Intermediate CA.crt

Lastly, when I view the properties of the intermediate CA from the MMC, and look at its certificate, at the bottom of the details it says: "Extended Error Information: Revocation Status : The revocation function was unable to check revocation for the certificate."

Any advice to get this intermediate CA working greatly appreciated!

certificate
windows-server-2012
ca
asked on Stack Overflow Apr 27, 2017 by Richard Sand

1 Answer

0
  1. Add the public root certificate to the machine store (certlm.msc) trusted root certificate authorities.
  2. Add the public root certificate CRL to the machine store (certlm.msc) trusted root certificate authorities.

enter image description here

answered on Stack Overflow Sep 20, 2017 by Daniel Fisher lennybacon

User contributions licensed under CC BY-SA 3.0