Verify the Certificate Revocation List Availability
  • 20 Nov 2023
  • 1 Minute to read
  • Dark
    Light
  • PDF

Verify the Certificate Revocation List Availability

  • Dark
    Light
  • PDF

Article summary

Overview

Each machine involved in the PKI authentication process checks two Certificate Revocation List (CRL) files in the certificate chain (end-user). This check occurs both on the machine from where the session is opened as well as on the Domain Controller authenticating the user.

In a default Axiad ID Cloud deployment, the CRLs are available on the Internet.

Usually, end user machines have access to internet. However, some servers (such as a remote desktop session), and particularly Domain Controllers, may not have access to the internet. For these machines, there are generally two options:

  1. Set an exception to allow the server to download the CRL files from your Axiad domain: crl.<instance>.cloud.axiadids.net
  2. Ensure the file is available internally, either through the site-to-site VPN with Axiad or by hosting the file on an internal web server accessible by each machine.

In case allow-listing is required, the domains to be managed are the following two:

  • crl.<instance>.cloud.axiadids.net
  • aia.<instance>.cloud.axiadids.net

Verification of Availability

There are two ways to verify that the CRL files are downloaded from a machine.

To Verify Using a Browser

A CRL file must be downloaded, otherwise it does not work. Check the error message to determine what could go wrong.

  1. Open any browser and navigate to the full URL, including the file name in there.
    URLs are found in the end-user certificate and in the issuing CA certificate (CRL Distribution Points field):
    • http://crl.<instance>.cloud.axiadids.net/<CUST>_Cloud_PKI_Issuing_CA_Users.crl
    • http://crl.<instance>.cloud.axiadids.net/<CUST>_Cloud_PKI_Root_CA.crl

To Verify Using a Command

The second option is to run a command that opens the URL Retrieval Tool, which automatically tests the retrieval of the CRL files (rootCA crl and issuingCA crl) with an easy-to-check status response. You run the command once per certificate.

NOTE
You must download/ have available an end-user certificate as well as the issuing CA certificate on the local drive.
  1. Run the following command:
    certutil -URL <certificate.crt>
  2. In the pop-up, select CRLs (from CDP).
  3. Click Retrieve.
    The tool checks the CDP URL from the certificate itself and provide a status of Verified or Failed.
    URL_retrieval_tool
  4. Run this command twice against each certificate.

Failed Retrieval

A failed retrieval is most likely due to network settings (firewall/proxy), so the attempt times out or does not resolve the domain name.

For troubleshooting purposes, it is possible to run the same command with more parameters, so the data is listed in the console or stored in a text file.

Output displays in the console:

certutil -f -urlfetch -verify mycertificatefile.cer

Output is saved in a file:

certutil -f -urlfetch -verify mycertificatefile.cer > C:\temp\troubleshooting.txt

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.