Certificate Request Fails - CRL not Reachable but is reachable

Jörg Schoppmann 1 Reputation point
2021-07-28T13:19:52.23+00:00

Hey Guys, Im literally going nuts on this one.

Im trying to issue an Certificate and always get "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)"
When I try to download the CRL via Browser or certutil to retrieve the CRLs it both works fine.
I also disabled checking of revocation and it started to work after that but its not an option.

Can someone might give me some guidance where to look at ? Im already cant see the forest for the trees.

My Setup consists of an Offline Root and online Intermediate CA, the CRL is hosted on Azure Storage Account / Azure CDN using custom domain.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,836 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Hannah Xiong 6,276 Reputation points
    2021-07-29T03:03:26.04+00:00

    Hello @Jörg Schoppmann ,

    Thank you so much for posting here.

    The issue seems to be a little unique. As stated, we could access the CRL and there is no error when we run certutil.

    I would like to have a recheck with you. When we run the command Certutil -urlfetch -verify c:\certificate.cer, it works fine, am I right?

    118873-image.png

    Besides, have we checked the PKIVEW.msc on the issuing CA? is there any error?

    118818-image.png

    Have we made any change recently? As mentioned, the CRL is hosted on Azure Storage Account / Azure CDN using custom domain. Sorry that we are not professional with Azure since we focus on on-premises AD.

    Thanks for your time and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Jörg Schoppmann 1 Reputation point
    2021-07-29T10:09:56.533+00:00

    Thank you for your feedback - I think I also found the reason but not sure how to fix it.
    Indeed the Delta CRL is expired ... even though the current one was uploaded and is recent.
    For some weird reason it shows 14th August 2020 as expiring date and wont update. I can download the current delta CRL from the given server without a problem. (I can remember it broke back end of May 2021 and it worked like a charm until then but never had time to take care and haven't changed anything in this setup.)

    I already tried several times to clear the urlcache but it doesnt change anything even after rebooting the CA.

    119061-image.png

    0 comments No comments

  3. Jörg Schoppmann 1 Reputation point
    2021-07-29T13:15:20.11+00:00

    Im not sure yet but I think it was caused by either Azure CDN caching behavior or my companies ISP caching.
    For Azure I set a global cache bypass rule for the endpoint and in the same time asked my ISP to exclude the given URLS from their backbone caching. Not sure what kicked in first... but both Normal and Delta got updated.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.