Tuesday, 30 June 2015

CRL checking with certutil


You have a server with a valid certificate installed. The Root CA is installed correctly. However, you get an error stating that the certificate is invalid. Applications that rely on the certificate may not work correctly.


Try these commands from an Elevated Command Prompt on the server having the issue:

certutil -f –urlfetch -verify [FilenameOfCertificate]

e.g. certutil -f –urlfetch -verify mycertificatefile.cer      ; this is an export of the certificate experiencing the issue

After it runs it should say:

Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

If it fails with an error, try the below commands to see if the CRLs are reachable:

certutil -URL


certutil -URL [URLOfCRLToBeChecked]

This command shows the previously downloaded and cached CRLs:

certutil -urlcache CRL

If your server cannot reach the CRLs, it could be due to proxy configuration. Check the config with the following command:

netsh winhttp show proxy

The output should be:

Current WinHTTP proxy settings:
Direct access (no proxy server).


No comments:

Post a Comment