Ssl – Intranet Cert Signed by Custom Root CA: I’m Seeing “Revocation function was unable to check”

certificate-authoritygithubssl

Background

I have a set of internal company websites, which need to have TLS certificates. I went through a whole bunch of tutorials, and ended up using OpenSSL to create a self-signed root certificate. I then used this certificate to sign server certificates for the internal websites.

Finally, I manually added the root cert to the Trusted Root stores and Keychains on all of our computers. All seemed to be well. The websites all showed the green padlock. However, I found a problem today.

The Problem

One of the internal sites is an installation of Github Enterprise. I tried connecting to it with the GitHub Desktop program, and I got this message:

schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate.

Frankly, I have no idea what to do to fix this. Any help would be appreciated, even if it's just how to bypass the error.

Best Answer

When a certificate authority issues a certificate to a secure website that certificate typically contains information that allows the client browser to validate that the certificate was not issued in error (or compromised) and subsequently revoked by the certificate authority.
Certificate Authorities (CAs) are required to keep track of the SSL Certificates they revoke. After the Certificate Authority (CA) revokes an SSL Certificate, the CA takes the serial number of the certificate and adds it to their certificate revocation list (CRL). The URL to the Certificate Authority’s certificate revocation list is contained in each SSL Certificate in the CRL Distribution Points field.

Next step (not covered by error now, but will appear next)

To check the revocation status of an SSL Certificate, the client connects to the URLs and downloads the CA's CRLs. Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn't been revoked.

Thus, you must

Have "CRL Distribution Points" in all issued by you certificates (see the x509v3_config manual page for details of the # extension section format)
Fill "CRL Distribution Points" with valid data
Have list in correct (understandable by client's tools) format

Related Solutions

Lync Server Deploy Certificate Verification Failed

Maybe your server is using a self-signed-cert rather then one issued from your CA.

What certificate did you assign with the Lync server Certificate Wizard in the deployment wizard? That's the one the client's will see when connecting. If you used the same certificate for all three services in the Certificate Wizard, then you can test if the client trusts the cert or it's root by web browsing to the web services URL from the client machine i.e. pull up the admin console: https://hostname.domain.com/cscp for standard Ed or enterprise ed: https://poolname.domain.com/cscp

In IE you can actually look at the cert the server is sending to the client and view any warnings the client has about the cert (I don't know how to see the incoming certificate from Lync client).

Ssl – Apache Client Certificate Authentication

sometimes u need to add a SSLCertificateChainFile option in your apache2.conf.

For example, we use SureServer for our SSL certificates. Sometimes browsers to not contain the full tree for the SSL certificate andu need to supply the missing piece:

SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCertificateChainFile /etc/apache2/sureserverEDU.pem

So u probably need to add your 3rd party CA there.

If I recall correctly rapidSSL has a chain file (RapidSSL_CA_bundle.pem)