Certificate Services – Disable CRL Checking

KB ID 0001144 

Problem

Sometimes the services on your CA server will stop and complain about not being able to see your CRL, and some times the service will just refuse to start with the following error;

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Solution

OK the way to fix this permanently is to fix your CRL and make sure it’s setup properly, a CRL has been published and is in date, and the CA server can see it.

Windows Certificate Services – Setting up a CRL

That might take a while, in the mean time, the way to get the services up and issuing is to temporarily stop the CA server checking for CRL services. Open an administrative command window and issue the following command;

[box]

Certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

[/box]

You will need to restart the certificate services.

[box]

net stop certsvc

net start certsvc

[/box]

Once your CRL problem is resolved you can re-enable CRL checking with the following command;

[box]

Certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE

[/box]

Related Articles, References, Credits, or External Links

NA

3 thoughts on “Certificate Services – Disable CRL Checking

Leave a Reply

Your email address will not be published. Required fields are marked *