Microsoft KB Archive/825061

= Certificate Services Does Not Start After You Upgrade to Windows 2000 Service Pack 4 =

Article ID: 825061

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server

-



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you restart your computer after you upgrade to Windows 2000 Service Pack 4 (SP4), the Certificate Services service (CertSvc) does not start. Additionally, one or more of the following events may appear in the application log of Event Viewer:

Event Type: Error

Event Source: CertSvc

Event ID: 100

Description: Certificate Services did not start: Could not load or verify the current CA certificate. Enterprise-Sub The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

For more information, see Help and Support Center at .

Event Type: Error

Event Source: CertSvc

Event ID: 48

Description: Revocation status for a certificate in the chain for CA certificate 0 for Enterprise-Sub could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

For more information, see Help and Support Center at .

Event Type: Error

Event Source: CertSvc

Event ID: 7024

Description: The Certificate Services service terminated with service-specific error 2148081683 (0x80092013).

For more information, see Help and Support Center at .



CAUSE
This issue occurs because a valid Certificate Revocation List (CRL) for one or more of the intermediate certification authority (CA) certificates could not be found. This issue may occur if the CRL is not available to the certificate server, or if the CRL has expired.



WORKAROUND
To work around this issue, use one of the following methods, as appropriate to your situation.

Method 1: Make Sure That a Valid CRL Is Available
Take steps to make sure that a valid CRL is available. This is the optimal workaround for this issue.

Method 2: Modify the LogLevel Registry Value
If this CA is an offline CA and has no access to the network to obtain the CRL, set the  registry value to 2. This registry change permits the CA to start by ignoring the revocation offline error. To set the  registry value, follow these steps:  Click Start, click Run, type cmd in the Open box, and then click OK. Type the following command, and then press ENTER:

certutil.exe -setreg CA\LogLevel 2

The following results are returned:

\LogLevel:

Old Value: LogLevel REG_DWORD = 3 (3)

New Value: LogLevel REG_ DWORD = 2 (2)

 Restart the Certificate Services service. To do so, type the following commands (press ENTER after each command):

net stop certsvc

net start certsvc

 Close the command-prompt window.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
You can use the Certutil.exe program that is included with Microsoft Windows Server 2003 to determine the URL of the unavailable CRL. To do this, follow these steps.

Note For information about how to obtain Windows Server 2003 files, contact Microsoft Product Support Services (PSS). To do this, visit the following Web site:

http://support.microsoft.com

<ol> Expand the following files from the I386 folder on the Windows Server 2003 CD-ROM to a new folder on the Windows 2000 certificate server:

Expand Certutil.ex_ to Certutil.exe

Expand Certcli.dl_ to Certcli.dll

Expand Certadm.dl_ to Certadm.dll

Important Make sure that the folder where you expand these files is not included in the Path statement. Do not register these Windows Server 2003 files on the Windows 2000-based computer.</li> Start a command prompt, and then run the following command from the folder that contains the Windows Server 2003 files:

certutil -verify -urlfetch CACert.crt

</li></ol>

Additional query words: cert

Keywords: kbprb KB825061

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.