BackgroundYou have a server with a valid certificate installed. The Root CA is installed correctly. However, you get an error stating that the certificate is invalid. Applications that rely on the certificate may not work correctly.
ResolutionTry these commands from an Elevated Command Prompt on the server having the issue:
certutil -f –urlfetch -verify [FilenameOfCertificate]
e.g. certutil -f –urlfetch -verify mycertificatefile.cer ; this is an export of the certificate experiencing the issue
After it runs it should say:
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
If it fails with an error, try the below commands to see if the CRLs are reachable:
certutil -URL [URLOfCRLToBeChecked]
This command shows the previously downloaded and cached CRLs:
certutil -urlcache CRL
If your server cannot reach the CRLs, it could be due to proxy configuration. Check the config with the following command:
netsh winhttp show proxy
The output should be:
Current WinHTTP proxy settings:
Direct access (no proxy server).