Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Revocation information for the security certificate for this site

arnold.siroin_
Occasional Contributor
‎02-02-2011 11:25:AM
‎02-02-2011 11:25:AM

Revocation information for the security certificate for this site

Users intermittently get the following message "Revocation information for the security certificate for this site is not available. Do you want to proceed?" They click yes and all is well. It could go 10 times without happening. Anybody find an easy fix for it.

0 Kudos
4 REPLIES 4
Kita_
Valued Contributor
‎02-02-2011 05:04:PM
‎02-02-2011 05:04:PM

Re: Revocation information for the security certificate for this site

Hello Arnold,

If the message is from a browser, this would mean the end-user machine cannot download the CRL from the CA website. On the SSL certificate itself, there should be a "CRL Distribution Point" which states the URL the browser is trying to reach. What I would recommend is to try accessing the URL directly using the browser to see if you can reach the site. If you cannot reach the URL, you'll need to determine the cause of the issue.

If you are able to access the site and CRL file, most likely I would recommend contacting your CA to see if their CRL server was down. Overall, my recommendation is to disable CRL checking and enable OCSP as this is more reliable. Depending on the browser and who the CA is, this may or may not be an option.

0 Kudos
arnold.siroin_
Occasional Contributor
‎02-03-2011 04:46:AM
‎02-03-2011 04:46:AM

Re: Revocation information for the security certificate for this site

This is a Verisign cert. Does that matter? if so, what do I configure for the OCSP? Will I cause problems by changing the settings?

0 Kudos
arnold.siroin_
Occasional Contributor
‎02-03-2011 04:50:AM
‎02-03-2011 04:50:AM

Re: Revocation information for the security certificate for this site

I see the CRL DP on the cert. Do you think this is a big deal people getting these message? Have you had anybody complain about them. If so, did switching to OCSP fix them?

0 Kudos
Kita_
Valued Contributor
‎02-04-2011 02:02:PM
‎02-04-2011 02:02:PM

Re: Revocation information for the security certificate for this site

Hello Arnold,

In most cases, CRL is usually a free service for VeriSign certificate. Depending on the type of certificate (server or client certificate), OCSP is a paid service. You'll want to check with VeriSign to confirm this.

In regards to the message, this could cause potential connection issues depending on how the client is configure. There are (rare) instances, the client will drop the connection if it cannot validity the certificate against the CRL. In the browser market, CRL checking should be disabled, by default, in Internet Explorer 6 and below. Starting with IE7, it should be configured to use OCSP first, then fall back to check CRL. With Firefox, I believe it has always used OCSP validation.

My recommendation would be try and find an user who is having the issue and see if they can grab the crl by manually typing the url in the browser. If the file can be pulled down, then you can rule out any connection issues. However, I would say 99% of time it is a connection issue while 1% is the CRL server from the CA is down.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.