Error 0x80092013 When Starting an Enterprise Subordinate CA

Working on a Windows 2008 two-tier Certificate Infrastructure implementation, the installation of the Root CA went without a hitch, but when trying to start the certificate server service on the Enterprise Subordinate CAs, I received the error (in summary): “0x80092013 certificate revocation server is offline”.

Whether its right or wrong, what I had attempted first when building the Root CA, is to specify a UNC path the the Root’s CRL in the Extensions tab of its properties. I had past success using UNC paths when working with Windows 2003 certificate servers and figured that Windows 2008 would work more or less the same, and I guess it does, but in this particular case it was less.

Opening PKIView on the Enterprise Subordinate CA after the service failure, I saw a screen similar to the one below, taken from this blog post: http://www.cupfighter.net/index.php/tag/0x80092013/

I won’t bore you with all the details, but to resolve the issue, I used an HTTP path for the Root CRL extension pointing to an IIS virtual directory on the Enterprise Subordinate CAs. Once the CRL was copied to the Subordinate CAs, the certificate services started without a problem.

Another option would have been to disable/ignore the CRL check as found below:
http://khurramullah.wordpress.com/2008/08/07/certificate-services-unable-to-start/

I have not figured out why the file/UNC path to the CRL did not work. Perhaps there will be time to explore it further.

2 Comments

Filed under Certificates, Windows Server

2 responses to “Error 0x80092013 When Starting an Enterprise Subordinate CA

  1. Anonymous

    I have the same problem with the same infrastructure.

    The 'boring details' are what I'm after.

    I assume you had to update the CRL on the Offline Root. Then what? My guess is I'll have to re-download the Offline Root Certificate and add it to my subordinate CA in order for the Subordinate CA to see the new CRL?

  2. Anonymous

    I fought this issue for hours until I came across your blog. I was convinced the UNC path should work and hadn't considered going the route you suggested. Hours of pain evaporated as soon as that CRL was found via http instead. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s