Login
      Contents x
      Verify the Certificate Revocation List Availability
      • 20 Nov 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Verify the Certificate Revocation List Availability

      • Updated on 20 Nov 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Overview

      Each machine involved in the PKI authentication process checks two Certificate Revocation List (CRL) files in the certificate chain (end-user). This check occurs both on the machine from where the session is opened as well as on the Domain Controller authenticating the user.

      In a default Axiad ID Cloud deployment, the CRLs are available on the Internet.

      Usually, end user machines have access to internet. However, some servers (such as a remote desktop session), and particularly Domain Controllers, may not have access to the internet. For these machines, there are generally two options:

      1. Set an exception to allow the server to download the CRL files from your Axiad domain: crl.<instance>.cloud.axiadids.net
      2. Ensure the file is available internally, either through the site-to-site VPN with Axiad or by hosting the file on an internal web server accessible by each machine.

      In case allow-listing is required, the domains to be managed are the following two:

      • crl.<instance>.cloud.axiadids.net
      • aia.<instance>.cloud.axiadids.net

      Verification of Availability

      There are two ways to verify that the CRL files are downloaded from a machine.

      To Verify Using a Browser

      A CRL file must be downloaded, otherwise it does not work. Check the error message to determine what could go wrong.

      1. Open any browser and navigate to the full URL, including the file name in there.
        URLs are found in the end-user certificate and in the issuing CA certificate (CRL Distribution Points field):
        • http://crl.<instance>.cloud.axiadids.net/<CUST>_Cloud_PKI_Issuing_CA_Users.crl
        • http://crl.<instance>.cloud.axiadids.net/<CUST>_Cloud_PKI_Root_CA.crl

      To Verify Using a Command

      The second option is to run a command that opens the URL Retrieval Tool, which automatically tests the retrieval of the CRL files (rootCA crl and issuingCA crl) with an easy-to-check status response. You run the command once per certificate.

      NOTE
      You must download/ have available an end-user certificate as well as the issuing CA certificate on the local drive.
      1. Run the following command:
        certutil -URL <certificate.crt>
      2. In the pop-up, select CRLs (from CDP).
      3. Click Retrieve.
        The tool checks the CDP URL from the certificate itself and provide a status of Verified or Failed.
        URL_retrieval_tool
      4. Run this command twice against each certificate.

      Failed Retrieval

      A failed retrieval is most likely due to network settings (firewall/proxy), so the attempt times out or does not resolve the domain name.

      For troubleshooting purposes, it is possible to run the same command with more parameters, so the data is listed in the console or stored in a text file.

      Output displays in the console:

      certutil -f -urlfetch -verify mycertificatefile.cer

      Output is saved in a file:

      certutil -f -urlfetch -verify mycertificatefile.cer > C:\temp\troubleshooting.txt
      Was this article helpful?
      What's Next
      900 Lafayette St. Suite 600
      Santa Clara, CA 95050
      United States
      Social
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout