IIS 8.5 error 403.13 (-2146885613) while CRL disabled
I have a Webservice written in WFC running on IIS 8.5 (W2012R2 fully patched) as a connector to italian SDICOOP used for einvoices send/receive using certificate authentication.
Provider required CRL disabled (they did ldap:// path's certificate for central store hihi) and Negotiate Client Certificate enabled flags and i applied them both on 0.0.0.0:443 certificate binding using netsh commands.
C:\Windows\system32>netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
They supplied a test platform with several tests (about 10) to pass from connectivity to operational then from January we are on production.
Since then i noticed an error 403.13 (-2146885613) on IIS when we receive an einvoice. Troubleshooting the following says
certutil -error -2146885613
0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) -- 2148081683 (-2146885613)
Error message text: The revocation function was unable to check revocation because the revocation server was offline.
We daily miss every received invoice but succefully send our invoice to customers with the same certificate.
Months ago I followed this guide https://blogs.msdn.microsoft.com/kaushal/2012/10/15/disable-client-certificate-revocation-crl-check-on-iis/ .Now I checked on the web for hours trying to find out something more. Is this enought or not to have CRL check disabled on my web service?
user37104680 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0