When you try to request a new certificate you receive the following error "The Revocation Function was Unable to Check Revocation Because the Revocation Server was Offline 0x800092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) The Request ID is 57" and the certificate fails to enrol.
Solution
If you check the Certificate Authority console you will see the CA is not operational as the icon has turned black.
After some research this error is caused by one of the following things;
- The CRL location (CDP) is unreachable
- The CRL location (CDP) is unpublished
- The CRL has expired and a new one was not published
- The CRL is reachable but the cient is picking up from the old cache
I knew the issuing CA was online so the first one was ruled out, I knew the CRL had been published to the CDP location as it was operational last week. It then began to look like the CRL had expired. I opened up the CRL file which was hosted on my Issuing CA, and checked the Next Update field, as you can see it was out of date by more than two weeks.
On the offline CA, where the CRL is generated I checked to see if the CRL dates matched, and they did not meaning that the new CRL had not been copied across to the issuing CA.
The next step was to copy the new CRL file across to the issuing CA into the location that is configured to host the CRL, in my environment the CRL is published to an IIS website.
Once this complete the Certificate Authority came back online and certs could be issues.
Workaround
If for whatever reason you did not want the CRL to be updated, you can configure the CA to ignore any errors related to the CRL life, it is done using the following commands;
If the CA is set to ignore CRL errors you are at risk your AD CS infrastructure is not functioning correctly.
