Users intermittently get the following message "Revocation information for the security certificate for this site is not available. Do you want to proceed?" They click yes and all is well. It could go 10 times without happening. Anybody find an easy fix for it.
If the message is from a browser, this would mean the end-user machine cannot download the CRL from the CA website. On the SSL certificate itself, there should be a "CRL Distribution Point" which states the URL the browser is trying to reach. What I would recommend is to try accessing the URL directly using the browser to see if you can reach the site. If you cannot reach the URL, you'll need to determine the cause of the issue.
If you are able to access the site and CRL file, most likely I would recommend contacting your CA to see if their CRL server was down. Overall, my recommendation is to disable CRL checking and enable OCSP as this is more reliable. Depending on the browser and who the CA is, this may or may not be an option.
This is a Verisign cert. Does that matter? if so, what do I configure for the OCSP? Will I cause problems by changing the settings?
I see the CRL DP on the cert. Do you think this is a big deal people getting these message? Have you had anybody complain about them. If so, did switching to OCSP fix them?
In most cases, CRL is usually a free service for VeriSign certificate. Depending on the type of certificate (server or client certificate), OCSP is a paid service. You'll want to check with VeriSign to confirm this.
In regards to the message, this could cause potential connection issues depending on how the client is configure. There are (rare) instances, the client will drop the connection if it cannot validity the certificate against the CRL. In the browser market, CRL checking should be disabled, by default, in Internet Explorer 6 and below. Starting with IE7, it should be configured to use OCSP first, then fall back to check CRL. With Firefox, I believe it has always used OCSP validation.
My recommendation would be try and find an user who is having the issue and see if they can grab the crl by manually typing the url in the browser. If the file can be pulled down, then you can rule out any connection issues. However, I would say 99% of time it is a connection issue while 1% is the CRL server from the CA is down.