We could (but should not) disable revocation checking.
First of all, does it even resolve the problem?
We disable revocation checking with this command (and then restart the ADCS service):
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
At first glance, this seems to improve matters.
After restarting the service, the subordinate CA is able to publish a new CRL (I repeated the same process as above) and I can expand the PKI Health Check tool:
Note the green check on the "Machlinkit Issuing CA" and compare with the previous screenshots.
At least the CRL of the issuing CA is up-to-date (status is OK from top to bottom):
But this is not a good solution for several reasons:
certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
At the command line:
We will copy (or publish) the CRL file to three locations on the subordinate (issuing) CA:
- The (local computer) certificate store of the subordinate CA
- The web share indicated in the CDP record.
- Active Directory
The web share is the most simple operation. It is a matter of copying the CRL file to the location indicated:
However, the CRL published to Active Directory is still in the "expired" state.
certutil -addstore -f Root C:\PKI\PKI-ROOT-CA.crl
certutil -dspublish -f C:\PKI\PKI-ROOT-CA.crl