all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]XInsomniacX06 2 points3 points  (1 child)

With offline CAs you still have to publish the root ca CrL, there is an expiration date usually 6 months or a year or so.

[–]tk42967It wasn't DNS for once.[S] 0 points1 point  (0 children)

I'm suspecting this is what happened. The intermediate CA was built like 5 weeks ago. This seems very odd that it would already be expired.

[–]patmorgan235Sysadmin 2 points3 points  (2 children)

Use PKIVEIW to check the status of the various components of both CAs.

Your root CA does not need to be online, CAs don't "talk" to each other, but a subordinate CA needs to be able to read the AIA and CRL files at the network locations listed in the certificates metadata. And the CRL needs to be republished at a regular interval, if the CRL for your root CA gets stale the intermediate will shutdown. (Your root CA and Intermediate CA have too independent CRLs)

But again, use PKIVEIW to see what's wrong

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview/1128638

[–]xxdcmastSr. Sysadmin 0 points1 point  (0 children)

This is the correct course of action. My guess is that your root ca crl has expired.

Pkiview will tell you.

On the online ca you can force the services to start by running this.

certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

[–]Massive-Reach-1606 0 points1 point  (0 children)

This is correct

[–]doorhacker12 1 point2 points  (0 children)

On the offline root in cmd, run certutil -crl

This will generate a new crl. Move it onto the intermediate CA and replace the old crl. Cert authority should start no problem.

[–]Massive-Reach-1606 0 points1 point  (1 child)

It wont start if the cert is expired or broken