I found a similar issue to what I am seeing but unfortunately not able to determine the cause.
https://social.technet.microsoft.com/Forums/en-US/6a152b22-2010-4923-8675-2cad55bfc117/smart-card-yubikey-certutil-the-revocation-function-was-unable-to-check-revocation-because-the?forum=winserversecurity
The issue I am having and tia for any help or guidance!
Trying to set up Yubikeys to authenticate to servers to add MFA to all server access.
Yubikeys work for local workstation fine but when trying to access a server via RDP I am getting the following error
'the revocation status of the domain controller certificate used for smart card authentication could not be determined"
Yubikey minicard driver is installed on the client and destination server.
Downloaded the certificate assign to the user and checking certutil passed - certutil -verify -urlfetch
CRL looks good from what I can tell.
PKIVIEW.MSC on the CA looks good - no errors.
One thing that was weird is that I ran certutil -url c:\test.cer and when i hit retrieve from CDP its all good, when I retrieve from AIA the first time I get Revocation Check Failed, but I click Retrieve again and immediately get Verified. I can reproduce this over and over again... close utility - click retrieve I get failed, then retrieve again and it changes to verified... not sure what that is from but seems weird...
Also ran
--
certutil -verify -urlfetch c:\test.cer
Issuer:
CN=**redacted**
DC=**redacted**
DC=LOCAL
Name Hash(sha1): b894e73a900c96f2b7e367205419d4ab6c1c667e
Name Hash(md5): bd8cffd03e09aa94dacee5baeaae3163
Subject:
CN=**redacted**
OU=Admins
DC=**redacted**
DC=LOCAL
Name Hash(sha1): ef96fbbae04390a7dfa3786345ee13ab2d3b6fa2
Name Hash(md5): eaf4a4c67204f1958d0c1c0477887c71
Cert Serial Number: 67000244d4246233c604b2e0ed0005000244d4
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 19 Hours, 43 Minutes, 19 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 19 Hours, 43 Minutes, 19 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=**redacted**
NotBefore: 4/28/2023 8:26 AM
NotAfter: 4/27/2026 8:26 AM
Subject: **redacted**
Serial: 67000244d4246233c604b2e0ed0005000244d4
SubjectAltName: Other Name:Principal Name=**redacted**
Template: **redacted**
Cert: 626febbc6a6c1e6ae0bfb98a648cda7daafa5c72
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 6951754a6a22e05a076dfdc5b74eab253dd08f3d
[0.0] ldap:///**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (1)" Time: 0 894bd09be9a4ec3cf39c6f56f93693b7c624183a
[0.1] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (0b0d)" Time: 0 5eecb5bd9173a310de8a0ddf519be993b9f9f4f4
[0.0] ldap:///CN=**redacted**(1),CN=CERTSUB19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
[0.0.0] ldap:///CN=**redacted**(1),CN=**redacted**,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
[0.0.1] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1)+.crl
Verified "Base CRL (0b0d)" Time: 0 5eecb5bd9173a310de8a0ddf519be993b9f9f4f4
[1.0] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1).crl
Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
[1.0.0] ldap:///CN=**redacted**(1),CN=**redacted**,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0b0d)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
[1.0.1] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1)+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (0b0f)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
[0.0] ldap:///CN=**redacted**(1),CN=**redacted**,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Delta CRL (0b0f)" Time: 0 4269912d83eb3f0748845ab5626b210ff12b058f
[1.0] http://**redacted**.**redacted**.LOCAL/CertEnroll/**redacted**(1)+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 0b0d:
Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
ThisUpdate: 4/19/2023 2:38 PM
NextUpdate: 5/20/2023 2:58 AM
CRL: 5eecb5bd9173a310de8a0ddf519be993b9f9f4f4
Delta CRL 0b0e:
Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
ThisUpdate: 4/26/2023 2:38 PM
NextUpdate: 5/4/2023 2:58 AM
CRL: f7df98af8458c5a238cc158154fdc1b54fe33ea1
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
NotBefore: 2/16/2023 11:09 AM
NotAfter: 2/15/2028 11:09 AM
Subject: CN=**redacted**, DC=**redacted**, DC=LOCAL
Serial: 4a0000016e6ef7621a9a1a71f800020000016e
Template: SubCA
Cert: 894bd09be9a4ec3cf39c6f56f93693b7c624183a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0 ee48b58b1c54e1354dcbd5d41a7e0e482ccfa2f2
[0.0] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (1)" Time: 0 96e5561470a76fe29081dc35d20bcb0e535094d7
[0.1] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (2)" Time: 0 84503f8540df33611a66fdc53804e7f2f17f6e81
[0.2] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (3)" Time: 0 c17645220c61d655a03f3bebfafabe723c4a90c8
[0.3] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (4)" Time: 0 11f2da7f1f4a51fd3f813014f9825d2f06f9aca4
[0.4] ldap:///CN=**redacted**,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (0b3b)" Time: 0 88258425b30cf8a2c6236cfe675781570fecac60
[0.0] ldap:///CN=**redacted**(1),CN=CERTAUTH19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0b3b)" Time: 0 c4191a687c47cae5e02cb5504a3f6695f9de9a61
[0.0.0] ldap:///CN=**redacted**(1),CN=CERTAUTH19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
OK "Delta CRL (0b3b)" Time: 0 c4191a687c47cae5e02cb5504a3f6695f9de9a61
[0.0] ldap:///CN=**redacted**(1),CN=CERTAUTH19-OMA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=**redacted**,DC=LOCAL?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 0b3b:
Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
ThisUpdate: 4/27/2023 11:30 AM
NextUpdate: 5/11/2023 11:50 PM
CRL: 88258425b30cf8a2c6236cfe675781570fecac60
Delta CRL 0b3b:
Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
ThisUpdate: 4/27/2023 11:30 AM
NextUpdate: 4/28/2023 11:50 PM
CRL: c4191a687c47cae5e02cb5504a3f6695f9de9a61
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=**redacted**, DC=**redacted**, DC=LOCAL
NotBefore: 7/8/2015 9:47 AM
NotAfter: 9/14/2031 7:57 AM
Subject: CN=**redacted**, DC=**redacted**, DC=LOCAL
Serial: 4b1df556819a54a3453ba221c5687e15
Template: CA
Cert: 84503f8540df33611a66fdc53804e7f2f17f6e81
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 7692940da088ea05998fe805d58ff8ab2f394094
Full chain:
Chain: 263db87757ad1c95410e66af94a429bb6193168a
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.