I'm dealing with some issues related to our desktop MFA product that brings up an SSL error when users try to enter their authenticator codes. After some digging, I found that the issue is linked to an expired Certificate Revocation List (CRL). I temporarily fixed it by adjusting some settings in the Internet Options, but I discovered that the Intermediate CA service isn't running. When I attempt to start it, I get an error suggesting to check the event viewer. According to the event viewer, the AD Cert Service failed to start because it couldn't load or verify the current CA certificate, and it notes that the revocation server appears to be offline.
I was told by my manager that the CRL is maintained on the Intermediate CA. I suspect the Intermediate CA isn't able to connect with the root CA, which might be offline, causing this issue. Would starting the root CA followed by starting the Intermediate CA service and then publishing the CRL resolve the situation? If so, how often should I be performing this to ensure the CRL stays current? Or could there be another solution I'm overlooking?
2 Answers
Check the status of your CAs using PKIVEIW. The root CA doesn't need to be online, but your subordinate CA needs access to the AIA and CRL files in its certificate's metadata. The CRL for the root CA has to be current for the Intermediate CA to function correctly. If it's stale, the Intermediate CA can shut down. PKIVEIW can help you assess any problems you're having.
Absolutely correct, definitely start with PKIVEIW to see what’s happening.
Even if you have offline CAs, you still need to make sure the root CA's CRL gets published regularly, usually at intervals of about 6 months to a year. If it expires, your Intermediate CA might have issues starting up.
That's right; using PKIVEIW is definitely the way to go. I suspect your root CA's CRL has expired. You can force the online CA's services to start with a command: certutil -setreg CACRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE.