The certification authority service does not start and throws the error message "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

A corresponding error message can also be found in the event display (Event no. 100) of the Certification Authority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  ADCS Labor Issuing CA 3 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

In this case, the certification authority cannot check the revocation status of the certification authority certificate currently in use. Either the revocation list cannot be retrieved (offline, blocked by firewall), or it has expired (in both cases the CRYPT_E_REVOCATION_OFFLINE error code is generated).

This error occurs only with the currently used certificate authority certificate. The certification authority always uses the last of the installed certificates for issuing certificates. This error should not occur with the previous certification authority certificates.

Workaround: Disable revocation list check for the certification authority

The preferred solution should always be to eliminate the cause of the failed lock information retrieval.

It is not possible in all cases to restore the availability of the revocation status information in time, for example, because one depends on an external entity.

As Temporary solution can be used to disable the revocation list check for the certification authority in such cases. To do this, the CRLF_REVCHECK_IGNORE_OFFLINE flag must be set on the certification authority.

First, the following command line command should be used to view the current configuration:

certutil -getreg CA\CRLFlags

In the above example, the CRLF_REVCHECK_IGNORE_OFFLINE flag is indented and enclosed in parentheses, indicating that it is not active. It can be set with the following command line command:

certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Afterwards, the certification authority service must be restarted.

The flag can be removed again with the following command:

certutil -setreg CA\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE

Is there a solution for the case that the certificate authority certificate does not contain any revocation information?

In this case, too, the preferred option is to clarify why the certification authority certificate does not contain any revocation information and to resolve the underlying cause.

Under certain circumstances, a certificate is obtained from the other certification authority that does not have any revocation information (CRL or OCSP).

For this case, the CRLF_REVCHECK_IGNORE_NOREVCHECK flag can be enabled in the same way.

Related links:

External sources

10 thoughts on “Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)“”

Comments are closed.

en_USEnglish