The certification authority service does not start and throws the error message "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".

Author Uwe GradeneggerPosted on Categories Troubleshooting, Certification AuthorityTags

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

A corresponding error message can also be found in the event display (Event no. 100) of the Certification Authority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  ADCS Labor Issuing CA 3 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Cause

In this case, the certification authority cannot check the revocation status of the certification authority certificate currently in use. Either the revocation list cannot be retrieved (offline, blocked by firewall), or it has expired (in both cases the CRYPT_E_REVOCATION_OFFLINE error code is generated).

This error occurs only with the currently used certificate authority certificate. The certification authority always uses the last of the installed certificates for issuing certificates. This error should not occur with the previous certification authority certificates.

Workaround: Disable revocation list check for the certification authority

The preferred solution should always be to eliminate the cause of the failed lock information retrieval.

It is not possible in all cases to restore the availability of the revocation status information in time, for example, because one depends on an external entity.

As Temporary solution can be used to disable the revocation list check for the certification authority in such cases. To do this, the CRLF_REVCHECK_IGNORE_OFFLINE flag must be set on the certification authority.

First, the following command line command should be used to view the current configuration:

certutil -getreg CA\CRLFlags

In the above example, the CRLF_REVCHECK_IGNORE_OFFLINE flag is indented and enclosed in parentheses, indicating that it is not active. It can be set with the following command line command:

certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Afterwards, the certification authority service must be restarted.

The flag can be removed again with the following command:

certutil -setreg CA\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE

Is there a solution for the case that the certificate authority certificate does not contain any revocation information?

In this case, too, the preferred option is to clarify why the certification authority certificate does not contain any revocation information and to resolve the underlying cause.

Under certain circumstances, a certificate is obtained from the other certification authority that does not have any revocation information (CRL or OCSP).

For this case, the CRLF_REVCHECK_IGNORE_NOREVCHECK flag can be enabled in the same way.

Related links:

External sources

10 thoughts on “Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)“”

  1. Pingback: The certificate authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)" - Uwe Gradenegger
  2. Pingback: What impact does incorrect revocation information of a certification authority certificate have on the certification authority? - Uwe Gradenegger
  3. Pingback: Details about the event with ID 48 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  4. Pingback: Details about the event with ID 100 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  5. Pingback: The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)" - Uwe Gradenegger
  6. Pingback: Performing a functional test for a Certification Authority - Uwe Gradenegger
  7. Pingback: When installing a new certificate authority certificate you get the error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)" - Uwe Grade
  8. Pingback: Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)" - Uw
  9. Pingback: Deconstruction of an Active Directory integrated certification authority (Enterprise CA) - Uwe Gradenegger
  10. Pingback: Logon via smartcard fails with error message "The revocation status of the authentication certificate could not be determined." - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish