This error is observed in the IIS logs of the SEG Server in both same domain and cross domain KCD configurations. Information on gathering IIS logs can be found here.
There are 2 scenarios when we get this error:
1. Same domain KCD configuration: the SEG needs to be able to access the certificate revocation list. As the SEG belongs to the same domain as the internal components, the default CRL's are usually configured using an LDAP distribution point, and the SEG needs to be able to access the CRL's.
2. Cross domain KCD configuration: The SEG server, when not on the domain, needs to be able to access the certificate revocation list using an HTTP distribution point. Creation of an HTTP distribution point needs to be handled by the customers Certificate Administration team.
We can verify if the certificate revocation list is accessible from the SEG Server by attempting to access either the LDAP/HTTP distribution point within a browser. It should download a CRL file. Sometimes a windows contact file is created (since the default method on that server to access CRL's is to convert them to a windows contact file).
You can also confirm that the CRL's are accessible using the commands below:
certutil -urlfetch -verify <Root_certificate.cer>
certutil -urlfetch -verify <Intermediate_certificate.cer>