Re: Urgent - Subordinate Ceritication Authority Certificate Expired

Giganews Newsgroups
Subject: Re: Urgent - Subordinate Ceritication Authority Certificate Expired
Posted by:  Nick Domukhovsky (ndomukhovs…@ot.ru)
Date: Tue, 03 Apr 2007

> Hi,
>
> I have an offline CA Root.
> My enterprise CA certificate expired last saturday.
> Last friday i have new certificate installed on the enterprise CA and all
> worked fine.
>
> Today when i reach the office i have on the Enterprise CA console general
> tab a list of two certificates one is expired an the other is ok. On my
> Domain Controllers i have an autoenrollment error that says that the DC cant
> get the certificate from the Enterprise CA:
>
> "Automatic certificate enrollment for local system failed to enroll for one
> Domain Controller certificate (0x80092013).  The revocation function was
> unable to check revocation because the revocation server was offline."
>
> I couldnt find any articles that can help on this so usual operation. Nobody
> have problems with this?
> How can i remove the CA expired certificate? Do u think its because of the
> old certificate in the CA that the DCs couldt get the certificate?
>
> I dont know what to do... Please any ideas would be appreciated.
>
> TIA,
>
> Clemente
> Portugal

Looks like you have problems with CRLs.
My suggestions.
1. Your new CA's certificate includes invalid CDPs (check with certutil
  -url <newCAcert filename>. If so - correct CDPs at your offline root
and reissue certificate for your CA.
2. CRL of your offline root also expired! Reissue CRL at offline root
and republish it to your CDPs.

--
With best regards
Nickolay Domukhovsky, MCSA

Replies

None

In response to

Urgent - Subordinate Ceritication Authority Certificate Expired posted by clemente on Mon, 2 Apr 2007