I'm having trouble with our enrollment server after rebooting it for an update. The Certificate Services (CS) won't start, and the logs are showing a recurring error that says, "Revocation status for a certificate in the chain for CA certificate 2 for hostname could not be verified because the server is currently unavailable. The revocation function was unable to check the revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)." I found a suggestion that says to reissue the CA's certificate from the offline CA, which I did, but the issue persists. The logs indicated that this error has been happening nightly since July 30. I tried restoring from a snapshot, but that didn't help either. This server is part of our Horizon VDI deployment for SSO and is dependent on a root CA that's offline and not domain-joined. Everything is still functioning for now, but I'm worried about certificate expiration issues. Any advice would be appreciated!
1 Answer
The error suggests that the Root Certificate Revocation List (CRL) is unreachable. You might want to export the Issuing CA certificate to a .cer file and then use the certutil command to troubleshoot further: `certutil -f –urlfetch -verify issuingCAcert.cer`. Also, enabling the CAPI2 event log can provide valuable insights in situations like this.
Just to clarify, do I need to export the certificate from the Root CA and run the command on that? Also, how do I enable CAPI2? I’ll look it up too, but any quick tips would help!