Certificate Services – Disable CRL Checking

KB ID 0001144 

Problem

Sometimes the services on your CA server will stop and complain about not being able to see your CRL, and some times the service will just refuse to start with the following error;

CRYPT_E_REVOCATION_OFFLINE

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Solution

OK the way to fix this permanently is to fix your CRL and make sure it’s setup properly, a CRL has been published and is in date, and the CA server can see it.

Windows Certificate Services – Setting up a CRL

That might take a while, in the mean time, the way to get the services up and issuing is to temporarily stop the CA server checking for CRL services. Open an administrative command window and issue the following command;

Certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Disable CRL check

You will need to restart the certificate services.

net stop certsvc

net start certsvc

Restart Cert Services

Once your CRL problem is resolved you can re-enable CRL checking with the following command;

Certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

3 Comments

  1. short & perfect, thanks!

    Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *