Im trying to use NPS to authenticate certs for 802.1x the NPS server rejects with the reason "the revocation function was unable to check the revocation for the certificate." A bit of digging has got me to this: C:\Windows\system32>certutil -urlfetch -verify c:\cert.cer Issuer: CN=BigFishes Issuing CA 01 DC=BigFishes DC=COM Subject: E=some.cert@BigFishes.com CN=some cert Cert Serial Number: 11a6ea2c000200000455 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwRevocationFreshnessTime: 50 Minutes, 12 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwRevocationFreshnessTime: 50 Minutes, 12 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=BigFishes Issuing CA 01, DC=BigFishes, DC=COM NotBefore: 2/7/2011 4:18 PM NotAfter: 2/7/2012 4:18 PM Subject: E=some.cert@BigFishes.com, CN=some cert Serial: 11a6ea2c000200000455 SubjectAltName: Other Name:Principal Name=certa@BigFishes.COM Template: Client Authentication-User 88 11 0b 46 ba 6d 21 f9 07 7d f4 bc 7d d5 a9 9a 9d 25 c9 a4 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Revocation Check Failed "Certificate (0)" Time: 0 [0.0] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=AIA,CN=Public%20Key%20S ervices,CN=Services,CN=Configuration,DC=BigFishes,DC=COM?cACertificate?bas e?objectClass=certificationAuthority No CRL "Certificate (1)" Time: 0 [0.1] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=AIA,CN=Public%20Key%20S ervices,CN=Services,CN=Configuration,DC=BigFishes,DC=COM?cACertificate?bas e?objectClass=certificationAuthority Revocation Check Failed "Certificate (2)" Time: 0 [0.2] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=AIA,CN=Public%20Key%20S ervices,CN=Services,CN=Configuration,DC=BigFishes,DC=COM?cACertificate?bas e?objectClass=certificationAuthority Revocation Check Failed "Certificate (2)" Time: 0 [1.0] http://red-issuingca01.BigFishes.com/CertEnroll/RED-ISSUINGCA01.RED Fishes.COM_Big%20Fishes%20Issuing%20CA%2001(2).crt ---------------- Certificate CDP ---------------- Verified "Base CRL (29)" Time: 0 [0.0] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=RED-ISSUINGCA01,CN=CDP, CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=BigFishes,DC=COM?cert ificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (29)" Time: 0 [0.0.0] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=RED-ISSUINGCA01,CN=CD P,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=BigFishes,DC=COM?de ltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (29)" Time: 0 [0.0.1] http://red-issuingca01.BigFishes.com/CertEnroll/Big%20Fishes%20Is suing%20CA%2001+.crl Verified "Base CRL (29)" Time: 0 [1.0] http://red-issuingca01.BigFishes.com/CertEnroll/Big%20Fishes%20Issu ing%20CA%2001.crl Verified "Delta CRL (29)" Time: 0 [1.0.0] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=RED-ISSUINGCA01,CN=CD P,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=BigFishes,DC=COM?de ltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (29)" Time: 0 [1.0.1] http://red-issuingca01.BigFishes.com/CertEnroll/Big%20Fishes%20Is suing%20CA%2001+.crl ---------------- Base CRL CDP ---------------- OK "Delta CRL (29)" Time: 0 [0.0] ldap:///CN=Big%20Fishes%20Issuing%20CA%2001,CN=RED-ISSUINGCA01,CN=CDP, CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=BigFishes,DC=COM,DC=A U?deltaRevocationList?base?objectClass=cRLDistributionPoint OK "Delta CRL (29)" Time: 0 [1.0] http://red-issuingca01.BigFishes.com/CertEnroll/Big%20Fishes%20Issu ing%20CA%2001+.crl ---------------- Certificate OCSP ---------------- Verified "OCSP" Time: 0 [0.0] http://ocsp.BigFishes.com/ocsp -------------------------------- CRL 29: Issuer: CN=BigFishes Issuing CA 01, DC=BigFishes, DC=COM 43 6c 47 5e c8 c7 00 6a 59 2d 5d c3 0d 21 4c 2a 8d a9 69 f1 Delta CRL 29: Issuer: CN=BigFishes Issuing CA 01, DC=BigFishes, DC=COM b8 89 1c c2 ea 58 8e 9c 28 a3 2c ef 97 ed e2 60 81 bd 40 3d Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=40 Issuer: CN=BigFishes Root CA, DC=BigFishes, DC=COM NotBefore: 1/1/2011 12:50 PM NotAfter: 1/1/2017 1:00 PM Subject: CN=BigFishes Issuing CA 01, DC=BigFishes, DC=COM Serial: 6188771e000000000003 Template: SubCA e0 91 ae 39 e6 74 e3 4c 5c 98 53 9b 05 70 b3 2b e4 f6 67 83 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: Cannot find the requested object. 0x80092009 (-2146885 623) http://ca.BigFishes.com/pki ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=BigFishes Root CA, DC=BigFishes, DC=COM NotBefore: 12/31/2010 11:50 AM NotAfter: 12/31/2020 12:00 PM Subject: CN=BigFishes Root CA, DC=BigFishes, DC=COM Serial: 52d03b6be21e428340e4cf60ba4e0664 8d 0f 60 be 4a 1a 13 ab 5c 75 b9 13 ae 70 c0 26 b3 c6 be 46 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 45 1a 44 cc 83 16 0f c6 2c 74 aa a9 8b 36 d2 c1 75 27 10 18 Full chain: 98 c4 e7 33 4d d5 5f 9c 2a 35 14 8d 30 61 0c f8 08 2a 5f 7e Issuer: CN=BigFishes Issuing CA 01, DC=BigFishes, DC=COM NotBefore: 2/7/2011 4:18 PM NotAfter: 2/7/2012 4:18 PM Subject: E=some.cert@BigFishes.com, CN=some cert Serial: 11a6ea2c000200000455 SubjectAltName: Other Name:Principal Name=certa@BigFishes.COM Template: Client Authentication-User 88 11 0b 46 ba 6d 21 f9 07 7d f4 bc 7d d5 a9 9a 9d 25 c9 a4 The revocation function was unable to check revocation for the certificate. 0x80 092012 (-2146885614) ------------------------------------ Revocation check skipped -- no revocation information available Leaf certificate revocation check passed CertUtil: -verify command completed successfully. I can see that the LDAP object exists the thing that confuses me a little (and may well be an indicator of my issue) is the presence of ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: Cannot find the requested object. 0x80092009 (-2146885 623) http://ca.BigFishes.com/pki that URL being a location i had tried to set up on the root CA (before I realised I had misunderstood a doc and that it should be a file not a directory) The Issuing CA cert has been renewed and now has valid CDP and AIA fields - do i need to somehow remove the "Certificate #0" which still has the wrong AIA? (and if so, how?) Any thoughts on where I've gone wrong?