Working on a Windows 2008 two-tier Certificate Infrastructure implementation, the installation of the Root CA went without a hitch, but when trying to start the certificate server service on the Enterprise Subordinate CAs, I received the error (in summary): “0x80092013 certificate revocation server is offline”.

Whether its right or wrong, what I had attempted first when building the Root CA, is to specify a UNC path the the Root’s CRL in the Extensions tab of its properties. I had past success using UNC paths when working with Windows 2003 certificate servers and figured that Windows 2008 would work more or less the same, and I guess it does, but in this particular case it was less.

Opening PKIView on the Enterprise Subordinate CA after the service failure, I saw a screen similar to the one below, taken from this blog post:

I won’t bore you with all the details, but to resolve the issue, I used an HTTP path for the Root CRL extension pointing to an IIS virtual directory on the Enterprise Subordinate CAs. Once the CRL was copied to the Subordinate CAs, the certificate services started without a problem.

Another option would have been to disable/ignore the CRL check as found below:

I have not figured out why the file/UNC path to the CRL did not work. Perhaps there will be time to explore it further.