Windows 2003 CA 0x80092013

Hi,

we have SubCA on Windows 2003. This CA is unable to start because of this
error. After modifzing CA\LogLevel to 2, it is able to start, but certs are
not issued because of this error. I tested with certutil validity of RootCA
CRL, it passes. CRL of RootCA is V1 - can this be a problem. What can I do?
Thanks

Best regards,
RM

oops see next reply...



--
Cooquist
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1701285.html

I am having the exact same problem. It all started because we didn'
update the .crls once they expired. We have since renewed the .crls bu
we got the same errors. Had to do the log level switch from 3 to 2 t
get CA services working but now I get these errors when trying to issu
certs:

The revocation function was unable to check revocation because th
revocation server was offline. 0x80092013 (-2146885613).


The disposition message is "Error Constructing or Publishin
Certificate The certificate validity period will be shorter than th
WebServer Certificate Template specifies, because the template validit
period is longer than the maximum certificate validity period allowed b
the CA. Consider renewing the CA certificate, reducing the templat
validity period, or increasing the registry validity period
Resubmitted by ENT\gcfgill".

Any luck with your issues? What have you done to correct it


-
Cooquis
-----------------------------------------------------------------------
Posted via http://www.mcse.m
-----------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1701285.htm

Hi

I had to do this:
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
I could do this, because my root CA is almost like offline.
Not sure if you can to the same.

R

"Cooquist" wrote:

>
> I am having the exact same problem. It all started because we didn't
> update the .crls once they expired. We have since renewed the .crls but
> we got the same errors. Had to do the log level switch from 3 to 2 to
> get CA services working but now I get these errors when trying to issue
> certs:
>
> The revocation function was unable to check revocation because the
> revocation server was offline. 0x80092013 (-2146885613).
>
>
> The disposition message is "Error Constructing or Publishing
> Certificate The certificate validity period will be shorter than the
> WebServer Certificate Template specifies, because the template validity
> period is longer than the maximum certificate validity period allowed by
> the CA. Consider renewing the CA certificate, reducing the template
> validity period, or increasing the registry validity period.
> Resubmitted by ENT\gcfgill".
>
> Any luck with your issues? What have you done to correct it?
>
>
>
> --
> Cooquist
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1701285.html
>
>

In article <(E-Mail Removed)>, (E-Mail Removed)
says...
>
> I am having the exact same problem. It all started because we didn't
> update the .crls once they expired. We have since renewed the .crls but
> we got the same errors. Had to do the log level switch from 3 to 2 to
> get CA services working but now I get these errors when trying to issue
> certs:
>
> The revocation function was unable to check revocation because the
> revocation server was offline. 0x80092013 (-2146885613).
>
>
> The disposition message is "Error Constructing or Publishing
> Certificate The certificate validity period will be shorter than the
> WebServer Certificate Template specifies, because the template validity
> period is longer than the maximum certificate validity period allowed by
> the CA. Consider renewing the CA certificate, reducing the template
> validity period, or increasing the registry validity period.
> Resubmitted by ENT\gcfgill".
>
> Any luck with your issues? What have you done to correct it?
>
>
>
> --
> Cooquist
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1701285.html
>
>
It sounds like you have issues with the CA certificate's remaining
validity period, and this could be an issue for the entire chain.

Certificate Services will not allow a CA to issue a certificate with a
validity period greater than the remainin validity period of the CA that
issues the certificate (remember the VeriSign issue about a year ago
<G>)

It sounds like you have several problems:
- The URLs for either the AIA or CDP extensions in the certificates are
invalid. This could be for any or all of the CAs in the CA hierarchy

For this problem, use the PKI Health Tool (pkiview.msc) from the Server
2003 resource kit. It will analyze all AIA and CDP extensions in the
certificate chain and report any errors. Every error should be
addressed.

- The validity period of the CAs may need to be revised.

For each CA in the CA path, you must alter the registry of the isssuing
CA to allow the duration that you wish for the subordinate CA
certificate (especially if using standalone CAs). This is done through
two registry settings: ValidityPeriod and ValidityPeriodUnits. For
example, if you want to issue a subordinate CA certificate with a
validity period of 10 years (assuming that the parent CA has a validity
period greater than 10 years remaining), use:

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"
HTH,
Brian

==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Hi, how do I switch the CRL checking back on after running the following command?

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Thanks!