Wednesday 20 May 2015

Active Directory Certificate Services: Extending CRL Validity Period The Revocation Function was Unable to Check Revocation Because the Revocation Server was Offline 0x800092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

This is my second post on a very similar error a work around to the same problem can be found here: http://blog.ryanbetts.co.uk/2015/02/ad-cs-revocation-function-was-unable-to.html although this solution properly fixes the problem.

I have come across this issue on a number of occasions and it is down to the CRL installed on the Online Issuing CA being expired. In the environment where I have had this today, there is an Offline Root CA and an Online Issuing CA, the Offline CA issues the CRL to the Online CA. By default AD CS sets the CRL Validity Period to 1 Week, which in most places is not ideal as an Administrator has to manually copy the new CRL between the Offline and Online CA's once a week.
Your Online CA is in the disabled state, and when you try to manually start the AD CS service you are faced with "The Revocation Function was Unable to Check Revocation Because the Revocation Server was Offline 0x800092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)"

This is because the CRL that is configured to ensure your Root Certificate is valid has expired, this is issued from the Offline CA. If you open the CRL file itself you will notice it has an Effective Date and a Next Update date. The image below would actually be valid the day I posted this blog post but if you get the "The Revocation Function was Unable to Check Revocation Because the Revocation Server was Offline 0x800092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)" error, the chances are the date in the Next Update field  has already passed.

On the Issuing CA there is actually two CRL's, one for the Root Certificate (which will only be regenerated if the Root Certificate server is compromised or expired and needs regenerating). The second CRL is the one managed and automatically updated by the Online CA, this hosts a list of revoked certificates issued by the Online CA. You do not need to alter this unless you want to.
On the Offline CA, open Certificate Authority and right click Revoked Certificates and select Properties.

As my Root Certificate is valid for two years I have changed the CRL Publication Interval to 2 Years.

Right click on Revoked Certificates and All Tasks, then select Publish.

Click New CRL and then OK.

Now if you open the CRL file from the Offline CA you will see the Next Update is two years from the date of issue.

Now simply copy and replace the CRL on the Issuing CA and AD CS should start without issue.