NPS 6273 Code Reason 258 Reason: The revocation function was unable to check revocation for the certificate.

Question

Hi,

I would use third party root CA to authenticate NPS Wireless users, but I have stuck with NPS Error 6273 reason 258: The revocation function was unable to check revocation for the certificate.

What I did: 

1. Imported cert: certutil.exe -enterprise -addstore NTAuth .\Root_CA.crt
2. Verify cert:  certutil.exe -verify -urlfetch .\Root_CA.crt

----------------  Certificate CDP  ----------------
  Verified "Base CRL (01)" Time: 0 a95489d7bf1887e7cd8f2a4ff5257cb1536bd312
    [0.0] http://serv18.ad.domain.pl/crl/ca.crl

As you can see it has url to other server where on IIS is available valid ca.crl file.
But I still cannot connect as wireless client using this Root Ca certificate.

Answer 1

Hello there,

Basically the message is saying that the NPS server cannot check the CRL or OCSP (depending on how the CA is setup) to validate whether the client is valid or not. In this case, the entire chain needs to be trusted and their CRLs accessible.

Typically CRLs or OCSP are http or ldap paths that are accessible. However, consider if your PKI design has an offline Root CA; if so, the CRL would need to be imported for full trust. This is typically imported into AD, thus all AD clients typically trust and know of the CRL; but you may need to import it into the NPS server.

In order to import CRL into the NPS server,

I would suggest that you can have a try to import the CRL right into the Certificates MMC, or try the following command:

certutil -addstore CA "name-of-file.crl"

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--