Certificate Services Does Not Start After You Upgrade to Windows 2000 Service Pack 4 (825061)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Advanced Server SP4
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you restart your computer after you upgrade to Windows 2000 Service Pack 4 (SP4), the Certificate Services service (CertSvc) does not start. Additionally, one or more of the following events may appear in the application log of Event Viewer:
Event Type: Error
Event Source: CertSvc
Event ID: 100
Description: Certificate Services did not start: Could not load or verify the current CA certificate. Enterprise-Sub The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

For more information, see Help and Support Center at <http://support.microsoft.com>.
Event Type: Error
Event Source: CertSvc
Event ID: 48
Description: Revocation status for a certificate in the chain for CA certificate 0 for Enterprise-Sub could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

For more information, see Help and Support Center at <http://support.microsoft.com>.
Event Type: Error
Event Source: CertSvc
Event ID: 7024
Description: The Certificate Services service terminated with service-specific error 2148081683 (0x80092013).

For more information, see Help and Support Center at <http://support.microsoft.com>.

CAUSE

This issue occurs because a valid Certificate Revocation List (CRL) for one or more of the intermediate certification authority (CA) certificates could not be found. This issue may occur if the CRL is not available to the certificate server, or if the CRL has expired.

WORKAROUND

To work around this issue, use one of the following methods, as appropriate to your situation.

Method 1: Make Sure That a Valid CRL Is Available

Take steps to make sure that a valid CRL is available. This is the optimal workaround for this issue.

Method 2: Modify the LogLevel Registry Value

If this CA is an offline CA and has no access to the network to obtain the CRL, set the LogLevel registry value to 2. This registry change permits the CA to start by ignoring the revocation offline error. To set the LogLevel registry value, follow these steps:
  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type the following command, and then press ENTER:

    certutil.exe -setreg CA\LogLevel 2

    The following results are returned:

    <myCA>\LogLevel:

Old Value:
  LogLevel REG_DWORD = 3 (3)

New Value:
  LogLevel REG_ DWORD = 2 (2)

  3. Restart the Certificate Services service. To do so, type the following commands (press ENTER after each command):

    net stop certsvc
    net start certsvc

  4. Close the command-prompt window.

MORE INFORMATION

You can use the Certutil.exe program that is included with Microsoft Windows Server 2003 to determine the URL of the unavailable CRL. To do this, follow these steps.

Note For information about how to obtain Windows Server 2003 files, contact Microsoft Product Support Services (PSS). To do this, visit the following Web site:

http://support.microsoft.com

  1. Expand the following files from the I386 folder on the Windows Server 2003 CD-ROM to a new folder on the Windows 2000 certificate server:

    Expand Certutil.ex_ to Certutil.exe
    Expand Certcli.dl_ to Certcli.dll
    Expand Certadm.dl_ to Certadm.dll

    Important Make sure that the folder where you expand these files is not included in the Path statement. Do not register these Windows Server 2003 files on the Windows 2000-based computer.
  2. Start a command prompt, and then run the following command from the folder that contains the Windows Server 2003 files:

    certutil -verify -urlfetch CACert.crt

Modification Type:MajorLast Reviewed:9/22/2006
Keywords:kbprb KB825061 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.