New video: Fixing expired Root CA CDP and Crypt_E_REVOCATION_OFFLINE problems


Configuration Manager 2309 has just been released, and I wanted to update one of my ConfigMgr labs to this version. Before doing that I could see that the PKI environment was not healthy, there were expired certificates and worse still an expired Root CA CDP. My usual fixes didn’t help so it was time to dig deeper with help from Stealthpuppy’s blog post here.

Long story short, when I power on a PKI based lab that’s been offline for a while I usually just restart certsrv.msc on the IssuingCA, this resolves most issues but in this case it wouldn’t even restart, I got an error (which I’ve seen before).

The revocation function was unable to check revocation because the revocation server was offline

To troubleshoot further, I issued the following:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This allowed me to start certificate services on the IssuingCA and troubleshoot further. Please watch the video to see how I resolved the issues.

If you want some PKI guides look no further.

Setting up PKI

cheers !


This entry was posted in 2309, PKI. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.