I've given up on this issue since I cannot seem to understand how to make it work. The issue is this: I am trying to configure VPN to my server. But whenever I try to connect, I get the error: "The revocation function was unable to check revocation because the revocation server was offline." But I am at a loss on how to fix this. Research seems to say that the client needs to be able to access an URL on the server (eg Server/CertEnroll/certificate.crl). Since my server is running a web server, accessing such an URL should not pose a problem. Research also suggests that this URL is defined in the certificate, and sure enough, it is. Only problem is that it uses the DNS of the server in the active directory network which isn't accessible from the outside! So I am again at a loss on how to fix the DNS so that an external client can find this. I'm currently testing within the network and I can access said URL fine, but the problem still doesn't go away. What am I missing? What have I configured incorrectly? Any help would be appreciated. Thanks.

Hello, please see: http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I seem to have forgotten to mention I'm using Windows Server 2008. Bad me. Anyway, I checked the link, but it does not seem to be related to my problem. I followed the steps and all seems to be in order. I'll add a little information about what I have done in case it helps. I have basically just set up Routing and Remote Access selecting Custom and VPN. I have a proper certificate, as well. But that's where it stops. I'm sure there are some additional steps needed to get VPN working? I'm not wizzy enough to understand the proper steps and what they do from here.

You can publish your CRL via a web server to external clients, for the purpose you have stated and others (Remote Desktop Gateway, for example). Open Administrative Tools -> Certificate Authority. Right click on your CA and select Properties. On the Extensions tab, make sure you're focused on CRL Distribution Point (CDP), and below that you will find the list of CRLs. You should find one starting ldap://.. and one starting file://.. out of the box. To add an external, create one like C:\Windows\System32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl For this file system publishing point, make sure "Publish CRLs to this location" and "Publish Delta CRLs to this location" are both checked (nothing else should be enabled). This directory will become the root path of your external web site dedicated to external CRL publishing. SYSTEM will need Full Control. This assumes your web site is hosted on the same machine as your CA, hence the direct C:\.. reference (using file://.. should work alternately). Next, add one like http://crl.yourdomain.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl Make sure "Include in CRLs. Clients use this to find Delta CRL locations" and "Include in the CDP extension of issued certificates" are both checked. The exact external domain URL is up to you and your DNS structure. The details of how to create a web site based on the C:\Windows\System32\CertSrv\CertEnroll directory and how to expose that through your firewall and the necessary permissions are left to you. Certificates created after these changes will contain the http://.. path to the CRL that external clients can use (since ldap:// and file:// are not available to them). Disclaimer: Use at your own risk. Web site creation, permissions, and publishing as well as modifying your firewall should be considered carefully and secured properly and can expose your network to risk. Good luck.

This little tip might just have worked. I no longer get the same error (but I get another error). Time will tell if the same error will pop up after I fix this error, or not. For the solution, I followed your advice to add another CDP using my EXTERNAL DNS (instead of my internal server dns), and thus, it was able to find the cert. Or so I hope. I'll be in touch if it didn't work!

I take it from your Marked as Answer that it worked! What other errors were you getting and how were they resolved? Just curious.

I haven't been able to resolve the other error. It no longer barks at the certificate, but it won't connect, nevertheless. So one issue down, another pops up. It certainly isn't easy. This time it's giving me a "the network connection was aborted by the local system." In the logs (client), it says it's a 503 error: service unavailable, I believe. I can find nothing in the server logs to pinpoint the issue. All services are running.

I haven't been able to resolve the other error. It no longer barks at the certificate, but it won't connect, nevertheless. So one issue down, another pops up. It certainly isn't easy.