Configuration Manager 2309 has just been released, and I wanted to update one of my ConfigMgr labs to this version. Before doing that I could see that the PKI environment was not healthy, there were expired certificates and worse still an expired Root CA CDP. My usual fixes didn’t help so it was time to dig deeper with help from Stealthpuppy’s blog post here.
Long story short, when I power on a PKI based lab that’s been offline for a while I usually just restart certsrv.msc on the IssuingCA, this resolves most issues but in this case it wouldn’t even restart, I got an error (which I’ve seen before).
The revocation function was unable to check revocation because the revocation server was offline
To troubleshoot further, I issued the following:
certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
This allowed me to start certificate services on the IssuingCA and troubleshoot further. Please watch the video to see how I resolved the issues.
If you want some PKI guides look no further.
Setting up PKI
- Part 1 – Introduction and server setup
- Part 2 – Install and do initial configuration on the Standalone Offline Root CA
- Part 3 – Prepare the HTTP Web server for CDP and AIA Publication
- Part 4 – Post configuration on the Standalone Offline Root CA
- Part 5 – Installing the Enterprise Issuing CA
- Part 6 – Perform post installation tasks on the Issuing CA
- Part 7 – Install and configure the OCSP Responder role service
- Part 8 – Configure AutoEnroll and Verify PKI health
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 1
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 2