Hi, I have client certificate authentication enabled when publishing a web site. When a CRL installed on ISA Server (2006, Standard, SP1 with W2003 R2 SP2 Enterprise) expires, the remote clients, when trying to access a published website get an error #500 that their certificates are revoked. This is quite a common behavior when ISA Server cannot access an up to date CRL. The Event Log on ISA Server says:
The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).
Apparently their is a problem with wspsrv.exe: If you don't have a CDP extension included in the ROOT certificate, this causes problems with the way ISA Server calls the CryptoAPI, leading to the "The certificate is revoked" error.
So, seems that this is a much alike error. I contacted the CA, whether it is possible to include a CDP extension to the root certificate. It is not. So, is there a way to fix this problem of ISA Server interaction with CryptoAPI? Thank you!
There's a number of things that can go wrong here.. but I'm assuming that the CDP extensions have been published correctly to the appropriate distribution points.. check which is the primary CDP and whether ISA can qualify the CRL in question.. normally (at least in certificate services based implementations) extensions are not recommended published in a root certificate, which follows your statements...do you have pkiview.msc installed on the ISA server .. if so what does it report concerning the validity of the certs (i.e. with the CDP's)... it's in the Win2k3 support tools btw..
Sorry about the cryptic response.. but it's hard to work out what's not working on the info provided :-)