I'm having some difficulty with certificate revocation lists. I'm getting the error "Revocation information for the security certificate for this site is not available." I have updated the CRL distribution points and verified that I can access them. I have also modified IIS7 to allow plus signs. I tried updating the AIA distribution location as well. Now, what I'm seeing is that when I manually open the crl, which works just fine, there are two attributes, Freshest CRL and Published CRL Location which both have LDAP paths. I believe these either need to be removed, or changed to http, but I don't want to make things worse. Any help here would be appreciated, thanks.

You need to provide much much more detail. Can you provide the output from certutil -verify -urlfetch <Certificate.crt> against any certificate issued by an issuing CA. You can change the names to protect the innocent <G>. This will allow us to provide you more information Brian

Here is the output, masked. The end of the message is pretty clear, but I'm not sure what it's referring to. We actually have a root CA and subordinate CA that are both online. Issuer: CN=Company Intermediate CA Subject: CN=server.domain.com Cert Serial Number: Serial# dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=Company Intermediate CA NotBefore: 9/5/2011 2:24 PM NotAfter: 9/2/2021 2:24 PM Subject: CN=server.domain.com Serial: Serial# SubjectAltName: DNS Name=names ... Template: Cert Template thumbprint Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Expected Base CRL "Delta CRL (d4)" Time: 4 [0.0] http://crl.domain.com/CA.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=DN NotBefore: 2/12/2011 10:33 AM NotAfter: 2/8/2026 10:33 AM Subject: CN=Company Intermediate CA Serial: Serial# Template: Template Thumbprint Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Wrong Issuer "Certificate (0)" Time: 0 [0.0] ldap:///DN Wrong Issuer "Certificate (1)" Time: 0 [0.1] ldap:///DN Wrong Issuer "Certificate (2)" Time: 0 [0.2] ldap:///DN Wrong Issuer "Certificate (3)" Time: 0 [0.3] ldap:///DN Wrong Issuer "Certificate (4)" Time: 0 [0.4] ldap:///DN Wrong Issuer "Certificate (5)" Time: 0 [0.5] ldap:///DN Wrong Issuer "Certificate (6)" Time: 0 [0.6] ldap:///DN Wrong Issuer "Certificate (7)" Time: 0 [0.7] ldap:///DN Verified "Certificate (8)" Time: 0 [0.8] ldap:///DN Verified "Certificate (9)" Time: 0 [0.9] ldap:///DN ---------------- Certificate CDP ---------------- Verified "Base CRL (01a8)" Time: 0 [0.0] ldap:///DN Verified "Delta CRL (01a8)" Time: 0 [0.0.0] ldap:///DN ---------------- Base CRL CDP ---------------- OK "Delta CRL (01a9)" Time: 0 [0.0] ldap:///DN ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 01a8: Issuer: DN Serial# Delta CRL 01a9: Issuer: DN Serial # CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: DN NotBefore: 2/4/2011 3:37 PM NotAfter: 2/10/2031 7:18 PM Subject: DN Serial: Seiral# Template: Template Serial# Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: Serial# Full chain: Serial# Issuer: CN=Company Intermediate CA NotBefore: 9/5/2011 2:24 PM NotAfter: 9/2/2021 2:24 PM Subject: CN=server.domain.com Serial: Serial# SubjectAltName: DNS Names Template: Template Serial# The revocation function was unable to check revocation because the revocation se rver was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline Leaf certificate revocation check passed CertUtil: -verify command completed successfully.

You may have masked too much information, but here is a start: It looks like the HTTP URL for the following is pointing to a delta CRL object, not to a base CRL object: ---------------- Certificate CDP ---------------- Expected Base CRL "Delta CRL (d4)" Time: 4 [0.0] http://crl.domain.com/CA.crl This is for your root CA (looking at the chain). Since it is broken, all subordinate CA certificate and leaf certificates will validate as invalid because a revocation decision cannot be built. 1) Under best practices, the root CA would be offline and only publishing base CRLs 2) For the issuing CA, your naming for the base CRL and delta CRL for the HTTP URL should use the form %3%8%9.crl. It looks like your naming may be hardcoded as CA.crl or is not using the %8%9 variables (causing the same name to be applied for base and delta CRLs) HTH, Brian

It's not, it's pointing to the base CRL object.

Maybe this is a stupid question, but I am new to CAs, but do I NEED to have an OSCP server somewhere in my network, or is that optional?

OCSP is optional. You missed my point. Look at the output. It appears that you may have both the base crl and the delta CRL pointing to the same URL without the delta CRL indicator configured correctly. Essentially, the delta CRL is overwriting the base CRL. Make sure that the URL contains %3%8%9.crl for the file name or CA%8%9.crl not CA.crl Brian

Also, is there cleanup I can do to get rid of all of the "Wrong Issuers?"

Ok, I'll give that a shot. What's the best way to test if revocation is working? The same command as above?

Yes same command as above for testing. For the wrong issuers, you have removed to much data for me to even give you an answer. My assumption is that you renewed ... a lot... on the sub CA and it is finding lots of CA certificates. You cannot easily remove them as there may be certs that chain to various subCA certs Brian

You would be correct :) I renewed several times tryign to resolve the validity period. All of the wrong issuers point to LDAP paths, but I can't find them. The certs have been removed form the CAs.

And thank you, your suggestion above fixed the revocation issue! I was pointing to a hard URL, without the %8 and %9.