Hello Arnold, In most cases, CRL is usually a free service for VeriSign certificate. Depending on the type of certificate (server or client certificate), OCSP is a paid service. You'll want to check with VeriSign to confirm this. In regards to the message, this could cause potential connection issues depending on how the client is configure. There are (rare) instances, the client will drop the connection if it cannot validity the certificate against the CRL. In the browser market, CRL checking should be disabled, by default, in Internet Explorer 6 and below. Starting with IE7, it should be configured to use OCSP first, then fall back to check CRL. With Firefox, I believe it has always used OCSP validation. My recommendation would be try and find an user who is having the issue and see if they can grab the crl by manually typing the url in the browser. If the file can be pulled down, then you can rule out any connection issues. However, I would say 99% of time it is a connection issue while 1% is the CRL server from the CA is down.
... View more