CRL issue

We experienced a strange behaviour – our SCCM OS Deployment wasn’t working anymore. Retrieving the policies and displaying the offerec Task Sequences wasn’t possible. It worked for months and suddenly stopped working.

Let’s first have a look on the smsts.log file:smstslog

As you can see, there was a status code 403 returned from the IIS server of the site server. It looks like there is a communication issue related to certificates. As a next step, I tried to connect to a https:// page the required a client certificate. As an example I tried to connect to https://SITESERVER/CCM_CLIENT/. Make sure you have a Client Authentication certificate in your personal certification store (on the user, not the computer), otherwise the connection is not going to work. Although I have received the following error message:

HTTP 403.13: Your client certificate was revoked, or the revocation status could not be determined.

This looks like either the client certificate is really revoked, or the revocation status couldn’t be determined. In my case I was sure that the certificate was not revoked, so I double-checked if there is an issue with the CRL check. The following command checks if a certificate is valid:

certutil -verify -urlfetch c:\yourcert.cer

where yourcert.cer is a client authentication certificate that you have exported.
I have then received the following error message:

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

and when I went thru the Certificate CDP part, I’ve seen that all CRLs were expired. You can proove that there is an issue if you open a one of the http:// CRL links. In my case it showed me that the CRL was not updated. After manually publishing the CRL list on the CA server, the issue is disappeared.