Intranet Cert Signed by Custom Root CA: I'm Seeing "Revocation function was unable to check"

1

Background

I have a set of internal company websites, which need to have TLS certificates. I went through a whole bunch of tutorials, and ended up using OpenSSL to create a self-signed root certificate. I then used this certificate to sign server certificates for the internal websites.

Finally, I manually added the root cert to the Trusted Root stores and Keychains on all of our computers. All seemed to be well. The websites all showed the green padlock. However, I found a problem today.

The Problem

One of the internal sites is an installation of Github Enterprise. I tried connecting to it with the GitHub Desktop program, and I got this message:

enter image description here

schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Frankly, I have no idea what to do to fix this. Any help would be appreciated, even if it's just how to bypass the error.

ssl
certificate-authority
github
asked on Server Fault Jun 15, 2018 by Andy Mercer • edited Jun 11, 2020 by Community

1 Answer

0
  1. When a certificate authority issues a certificate to a secure website that certificate typically contains information that allows the client browser to validate that the certificate was not issued in error (or compromised) and subsequently revoked by the certificate authority.
  2. Certificate Authorities (CAs) are required to keep track of the SSL Certificates they revoke. After the Certificate Authority (CA) revokes an SSL Certificate, the CA takes the serial number of the certificate and adds it to their certificate revocation list (CRL). The URL to the Certificate Authority’s certificate revocation list is contained in each SSL Certificate in the CRL Distribution Points field.

Next step (not covered by error now, but will appear next)

  1. To check the revocation status of an SSL Certificate, the client connects to the URLs and downloads the CA's CRLs. Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn't been revoked.

Thus, you must

  • Have "CRL Distribution Points" in all issued by you certificates (see the x509v3_config manual page for details of the # extension section format)
  • Fill "CRL Distribution Points" with valid data
  • Have list in correct (understandable by client's tools) format
answered on Server Fault Jun 17, 2018 by Lazy Badger

User contributions licensed under CC BY-SA 3.0