That takes me to why I had to renew the certificates in the first place. The signing certificates were issued while I was on vacation, before the certificate distribution point, online certificate status protocol, and authority information access configurations were done to the intermediate CA (it is a three tiered model).
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. ISSUINGCA01 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
To make sure that was really the problem, I temporarily disabled revocation checking:
Certutil.exe –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
That worked – but for reasons that should be obvious if you are reading this, I can’t leave it that way.
All of the certutil.exe –verify –urlfetch
I moved on to certutil.exe –urlcache, specifically with the * delete option. That is something I’ve used in the past for solving some pesky issues with revocation checking, but my first attempts didn’t seem to resolve the problem either. I took a break, and grabbed some lunch and thought to myself that the certutil.exe –urlcache is user based, so no amount of * delete run in the user context would help with the service. So, out comes psexec. Using psexec.exe –i –s cmd.exe to bring up a command prompt running as the local system, I saw a whole new list of entries with certutil.exe –urlcache. I was on to something, so out comes the certutil.exe –urlcache * delete and I was able to start the certificate authority service.
It takes a lot to really baffle me with Windows these days, but this one had me confused for hours. Windows PKI with Active Directory Certificate Services really isn’t that complex, I’ve deployed several, but when mistakes were made and need to be cleaned up, I was in unfamiliar territory.