certutil 403 errors when verifying SSL certificate with certutil

Question

I'm using certutil to debug certificate issues.

On all of our servers except one I can use the following command to succesfully check any certificate:

certutil.exe -f -urlfetch -verifiy certificatefilename.cert

On one of our servers this command fails (for any certificate) with errors like the following:

 ----------------  Certificate AIA  ----------------
 Failed "AIA" Time: 0
   Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS
FORBIDDEN)
   http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt

 ----------------  Certificate CDP  ----------------
 Failed "CDP" Time: 0
   Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS
FORBIDDEN)
   http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl

 ----------------  Certificate OCSP  ----------------
 Failed "OCSP" Time: 0
   Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS
FORBIDDEN)
   http://ocsp.comodoca.com

Strangely enough when I access these URLs via a browser (on the same server) the files are downloaded without issue (for example the following certificate revocation list can be downloaded without any problem: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl)

I've checked the following:

• IP settings are comparable on all servers
• proxy settings are the same on al servers
• I'm logged in with the same user account on both servers
• it happens on both elevated and non-elevated command prompts

What could be causing the 403 errors?

Answer 1

You should also check system proxy by using command

netsh winhttp show proxy

certutil doesn't use IE proxy so maybe this will be the difference.