Revocation Server Offline Error (0x80092013)

Here is our infrastructure:

Offline root - Server 2012 Standard
Intermediate CA that issues certificates - Server 2012 Standard
PKI server (CDP and AIA over http url) - Server 2012 Standard

Here is the URL configuration for CDP and AIA:

CDP: http://pki.domain.org/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA: http://pki.domain.org/<ServerDNSName>_<CaName><CertificateName>.crt

CRL has 180 day validity period and is generally renewed every 5 months from the offline root CA

I am trying to set up Hyper-V replication over HTTPS so I published a certificate and everything seems fine up to the point where I hit the apply button in the Hyper-V console and it comes up with the error in the following image (thumbprint removed just cuz).

Not sure if this is relevant but I am running Hyper-V Server 2012 but also recreated this issue on Server 2012 R2 Datacenter. I have run the tests described in the following paragraph on both servers and both had the same results.

I might add that If I choose a cert from a previously set up 2008 R2 Standard CA Root/issuing server (remnants from previous admin) that is used for Client and Server Authentication, I do not receive this error although I am not familiar with how that previous setup was accomplished except that it is a standalone.

I have gone back and forth with different certutil commands (such as urlfetch, user urlfetch, and url retrieval tool) and the results are always successful and always says that leaf certificate revocation check passed. I have even run this as SYSTEM and NETWORKSERVICE accounts and always seem to have successful results. I do not want to use the workaround of bypassing the CRL check for fear that there is a greater underlying problem. I have recently created a new CRL from the offline root and copied to the CDP and AIA directory so the CRL should not be expired (nor were expiration errors reported). I will admit that I'm novice at certificate authority management so please excuse my ignorance. Please let me know if there is any more information needed or correct me if I misspoke in any part. Thank you in advance for your time!


  • Edited by Scott_42 Monday, February 17, 2014 8:51 PM
February 17th, 2014 8:45pm

Just out of curiosity, is it pretty common to have to disable the revocation check for Hyper-V replication? It seems like a lot of people just use the self-signed certs and then run the following registry edits to bypass the checks:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
I just want to make sure that my CA is healthy. Nothing else seems to fail and nothing else seems to have a problem at this time except for the Hyper-V Replication revocation check (what a mouthful).
This is all so whacky to me!



  • Edited by Scott_42 Monday, February 24, 2014 8:46 PM
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 8:34pm

Well I'm obviously dumb. I was exporting it with the private key before which obviously keeps me from exporting it as a DER X.509 (.CER). Here is the real output below. Once again, I really appreciate your patience with me!!

So the error says that I can't access the CRL with the domain-CA-SUB-CA+.crl which is true (can't access that through the browser). However, I am able to access domain-CA-SUB-CA.crl through the browser. What would be the difference since they both have the same extension and .crl has been added as a MIME type in IIS? I did noticed that it seems to be the '+' character in the name that is throwing off the url. Any thoughts?

Issuer:
    CN=domain-CA-SUB-CA
    DC=domain
    DC=org
  Name Hash(sha1): ##############################
  Name Hash(md5): ##############################
Subject:
    CN=*.domain.org
  Name Hash(sha1): ##############################
  Name Hash(md5): ##############################
Cert Serial Number: ##############################

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 8 Days, 46 Minutes, 34 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 8 Days, 46 Minutes, 34 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=domain-CA-SUB-CA, DC=domain, DC=org
  NotBefore: 2/24/2014 12:46 PM
  NotAfter: 2/24/2016 12:56 PM
  Subject: CN=*.domain.org
  Serial: ##############################
  SubjectAltName: DNS Name=*.domain.org
  Template: Hyper-V Replica
  ##############################
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.domain.org/CA.domain.org_domain-CA-SUB-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (01b0)" Time: 0
    [0.0] http://pki.domain.org/domain-CA-SUB-CA.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
    [0.0.0] http://pki.domain.org/domain-CA-SUB-CA+.crl

  ----------------  Base CRL CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
    http://pki.domain.org/domain-CA-SUB-CA+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 01b0:
    Issuer: CN=domain-CA-SUB-CA, DC=domain, DC=org
    ThisUpdate: 2/20/2014 1:35 PM
    NextUpdate: 2/28/2014 1:55 AM
    ##############################
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=domain-CA-ROOT-CA
  NotBefore: 12/26/2012 11:19 AM
  NotAfter: 12/26/2022 11:29 AM
  Subject: CN=domain-CA-SUB-CA, DC=domain, DC=org
  Serial: ##############################
  Template: SubCA
  bc39e98cca24eaac7a96840c1a49a95acdeea7f4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.domain.org/CA-Offline.domain.org_domain-CA-ROOT-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (07)" Time: 0
    [0.0] http://pki.domain.org/domain-CA-ROOT-CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 07:
    Issuer: CN=domain-CA-ROOT-CA
    ThisUpdate: 2/17/2014 10:37 AM
    NextUpdate: 8/16/2014 10:57 PM
    ##############################

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=domain-CA-ROOT-CA
  NotBefore: 12/26/2012 10:46 AM
  NotAfter: 12/26/2032 10:56 AM
  Subject: CN=domain-CA-ROOT-CA
  Serial: ##############################
  ##############################
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  ##############################
Full chain:
  ##############################
  Issuer: CN=domain-CA-SUB-CA, DC=domain, DC=org
  NotBefore: 2/24/2014 12:46 PM
  NotAfter: 2/24/2016 12:56 PM
  Subject: CN=*.domain.org
  Serial: ##############################
  SubjectAltName: DNS Name=*.domain.org
  Template: Hyper-V Replica
  ##############################
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.



  • Edited by Scott_42 Tuesday, February 25, 2014 8:38 PM
February 25th, 2014 8:24pm

Check this out

SSTP Windows VPN Client Error: The revocation function was unable to check revocation


it is the worst solution I ever seen.
September 10th, 2015 9:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics