| Contains Resolution: |
|
|
The Active Directory Certificate Service could not verify the CRL and would not start. We were ablet to get the service started by following Method 2 of this KB: http://support.microsoft.com/kb/825061Method 2: Modify the LogLevel Registry Value
If this CA is an offline CA and has no access to the network to obtain the CRL, set the LogLevel registry value to 2. This registry change permits the CA to start by ignoring the revocation offline error. To set the LogLevel registry value, follow these steps:Click Start, click Run, type cmd in the Open box, and then click OK.Type the following command, and then press ENTER:certutil.exe -setreg CA\LogLevel 2 The following results are returned:
<myCA>\LogLevel:Old Value:
LogLevel REG_DWORD = 3 (3)New Value:
LogLevel REG_ DWORD = 2 (2)Restart the Certificate Services service. To do so, type the following commands (press ENTER after each command):net stop certsvc
net start certsvcAfter starting the service we could see that the Root CA CRLs had expired. We have them on a 180 day interval and had not updated them.
|
|
|
|