KCD: The revocation function was unable to check revocation because the revocation server was offline

Error/Symptom

This error "The revocation function was unable to check revocation because the revocation server was offline" is observed in both same domain and cross domain KCD configurations on the SEG Servers CAPI 2 logs.

Cause

This error can be caused because the SEG Server cannot access the Certificate Revocation List.

 

Resolution

To check if the SEG server can access the CRL associated with the certificate you can perform any of the below.

1. Access the Certificate Revocation List URL using a browser. The image below shows the place to find the CRL in a certificate.

15.png

Once you access the CRL in a browser,  it should download a certificate file. This confirms that the CRL and its associated server is accessible. 

For Same Domain KCD deployments, we need access to the LDAP distribution point CRL. (This is accessible over port 389)

The CRL would look something like below.

URL=ldap:///CN=DC1-CA,CN=DC1,CN=CDP,CN=Public%20Key%20Services

For Cross Domain KCD deployments we need access to the HTTP distribution point CRL. (This is accessible over port 80)

The CRL would look something like below.

URL=http://testca/CertEnroll/gdig2s1-15.crl

2.  The certificate issued by the certificate authority might have multiple levels within it. It must have a root certificate with one or many intermediate certificates. Check if all the CRL's are accessible using the certutil commands below.

certutil -urlfetch -verify caroot.cer

certutil -urlfetch -verify cainter.cer

This would display if there is any distribution point associated with the certificate.

 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.