2

In order to get rid of "Error 0×80092013: The revocation function was unable to check revocation because the revocation server was offline" you have to install base/delta CRLs on the client you want to connect to the VPN server...

However, it would seem that I have to frequently install the CRLs from my Certificate Authority server on my clients (every couple of days, not just once) - a task which is rather cumbersome. Is there a way to automate the CRL download/addstore or actually fix this issue (without disabling CRL check)?

Theveloper
  • 164
  • 2
  • 11
  • 1
    The certificates should contain a CRL Distribution Point that is online and accessible from the clients. Such as `http://crl.yourdomain.com/yourcert.crl`. – Ryan Ries Aug 26 '13 at 16:13

1 Answers1

1

Yeah, you don't put the CRLs on the client, you put them in the CDP that is defined in the certificate.

I suppose it's possible that you wrote a CDP into the cert that was file://c:/local/path/whoops, in which case that's not really what you wanted. You want a publicly-accessible URL, so read up on the docs for your CA and re-issue the certs with a better CDP.

mfinni
  • 36,144
  • 4
  • 53
  • 86