One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.
Correct problems that can prevent revocation checking
Revocation checking fails when every certificate in a chain cannot be verified. To fix this:
Confirm the certificates in the chain for the certification authority (CA).
Identify and correct resource problems that could be preventing revocation checking.
Enable CryptoAPI 2.0 Diagnostics to identify and resolve more advanced issues that can prevent revocation checking.
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Confirm the certificate chain for the CA
To validate the chain for the CA:
Click Start, type mmc, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
Click Computer account, and click Next.
Select the computer hosting the CA, click Finish, and then click OK.
Select each CA certificate in the certificate chain.
On the Action menu, point to All Tasks, and click Export to start the Certificate Export Wizard. Save each certificate with a .cer extension.
Click Start, type cmd and press ENTER.
Type the following command for each CA certificate: certutil -urlfetch -verify<CAcert.cer> and press ENTER.
Run the same command again to check CRLs for the CA that was supposed to issue the certificate, as well as its chain.
Resolve any problems that are identified in the output from the command.
To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.
Identify and correct resource problems that can prevent revocation checking
To check that revocation checking is not prevented by a hardware problem:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Reliability and Performance Monitor to assess memory and disk usage on the CA.
If necessary, increase Windows resources by adding physical memory, virtual memory, or physical storage.
Enable CryptoAPI 2.0 Diagnostics
To enable CryptoAPI 2.0 Diagnostics:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
Right-click Operational, and click Enable Log.
Click Start, point to Administrative Tools, and click Services.
Right-click Active Directory Certificate Services, and click Restart.
For more information about certificate revocation and status checking, see http://go.microsoft.com/fwlink/?LinkID=124408.