1

Background

I have a set of internal company websites, which need to have TLS certificates. I went through a whole bunch of tutorials, and ended up using OpenSSL to create a self-signed root certificate. I then used this certificate to sign server certificates for the internal websites.

Finally, I manually added the root cert to the Trusted Root stores and Keychains on all of our computers. All seemed to be well. The websites all showed the green padlock. However, I found a problem today.

The Problem

One of the internal sites is an installation of Github Enterprise. I tried connecting to it with the GitHub Desktop program, and I got this message:

enter image description here

schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Frankly, I have no idea what to do to fix this. Any help would be appreciated, even if it's just how to bypass the error.

Community
  • 1
Kelderic
  • 125
  • 6

1 Answers1

0
  1. When a certificate authority issues a certificate to a secure website that certificate typically contains information that allows the client browser to validate that the certificate was not issued in error (or compromised) and subsequently revoked by the certificate authority.
  2. Certificate Authorities (CAs) are required to keep track of the SSL Certificates they revoke. After the Certificate Authority (CA) revokes an SSL Certificate, the CA takes the serial number of the certificate and adds it to their certificate revocation list (CRL). The URL to the Certificate Authority’s certificate revocation list is contained in each SSL Certificate in the CRL Distribution Points field.

Next step (not covered by error now, but will appear next)

  1. To check the revocation status of an SSL Certificate, the client connects to the URLs and downloads the CA's CRLs. Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn't been revoked.

Thus, you must

  • Have "CRL Distribution Points" in all issued by you certificates (see the x509v3_config manual page for details of the # extension section format)
  • Fill "CRL Distribution Points" with valid data
  • Have list in correct (understandable by client's tools) format
Lazy Badger
  • 3,137
  • 15
  • 13
  • From the research I've been doing, CRLs are in the process of being depreciated in favor of OCSP+Stapling. But in general, I think you are right. The root of my problem is that I'm not handling revocation. – Kelderic Jun 18 '18 at 12:14
  • @AndyMercer - yes, OCSP is a current answer. But - you asked about CRL, I answered *on question* – Lazy Badger Jun 26 '18 at 13:51