Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 21, 2017 1:37 PM
Hi All,
I have created an windows 2012 R2 server based SSTP VPN server.
I used certificate from internal CA. All client machines also trust this CA via GPO and got computer cert as well.
All worked fine for past 18 months but now suddenly this error: Error code 0x80092013:
If I create registry to "Disable Revocation Check" they can connect.
Any one, any suggestions, can I do this revocation test manually myself via some command to test if it got some issues..maybe?
Thanks in advance
All replies (4)
Wednesday, March 22, 2017 9:16 AM âś…Answered
Hi Beadmin,
>> can I do this revocation test manually myself via some command to test if it got some issues..maybe?
Please check link below to check it:
Basic CRL checking with certutil
https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
Or you could post it in the powershell forum to get effect support.
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 24, 2017 10:16 AM | 1 vote
Hi Beadmin,
The command certutil.exe -verify -URLFetch <Certificate exported as file> should be a great help. It will verify the entire validation chain of the certificate and pretty much spell out what is wrong.
Some things to notice here:
1. You may have a root and an issuing CA in the chain. These are processed in turn, so that gives you an indication which CA you have a problem with.
2. You may have multiple CDPs per CA. If all of them for the CA are malfunctioning, probably the CA that should generate the CRL is at fault.
One of the most common (and simple) reasons for this error is that you have a PKI with an offline Root CA, and nobody thought of bringing that CA briefly online to issue a new CRL before the old one expired.
Let us know what you find.
Kind Regards,
Monday, April 10, 2017 10:19 AM
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, April 16, 2019 9:39 AM
I had this error in my test lab just recently. In my case it was a simple solution, the offline root CRL had expired and needed refreshing. Some useful information here https://stealthpuppy.com/resolving-issues-starting-ca-offline-crl/
Mike