P2 · PKI & Certificate Management

OCSP / CRL Distribution Point Unreachable — Certificate Validation Failures

Applications, browsers, or Windows machines fail to validate certificates because OCSP responders or CRL distribution points (CDPs) are unreachable. Symptoms range from slow TLS handshakes (30-60s OCSP timeout) to hard failures in strict-mode applications and Windows Schannel errors.

Indicators

Browser: 'Unable to check certificate revocation' or slow HTTPS page loads (30-60s delay)
Windows Event ID 82 / CAPI2 errors: 'Failed to retrieve certificate revocation list'
IIS/Exchange: TLS handshake failures with internal clients on cert-checking enabled
openssl s_client shows OCSP response timeout
Application logs: CertVerifyCertificateChainPolicy failed with 0x800B010C (CERT_E_REVOCATION_FAILURE)

Likely causes

CDP/OCSP URL in certificate points to internal hostname unreachable from DMZ or internet
Firewall blocking outbound HTTP (port 80) to OCSP/CRL endpoints
CA server or CRL hosting web server offline or overloaded
CRL publication failed on CA — CRL has expired and no new CRL published
DNS resolution failure for OCSP/CRL hostname

Diagnostic steps

Extract CDP/OCSP URLs from the cert: certutil -url <cert.cer> (Windows) or openssl x509 -in cert.pem -text | grep -A2 'CRL\|OCSP'
Test reachability of each URL from the affected host: Invoke-WebRequest <crl_url> -UseBasicParsing (PowerShell) or curl -I <ocsp_url>
Check CRL validity period: certutil -verify <cert.cer> — look for 'CRL Expiration Date' and whether it has already expired
On the CA server: certutil -CRL — manually publish a new CRL; verify CRL files exist in the CDP web share
Windows CAPI2 logging: Event Viewer > Applications and Services Logs > Microsoft > Windows > CAPI2 > Operational — filter for EventID 82
Check proxy/firewall rules: internal OCSP/CRL requests to external URLs typically use port 80 HTTP — ensure outbound HTTP is not blocked for certificate checking

Resolution path

Immediate: add firewall rule to allow outbound HTTP/443 to CDP/OCSP URLs from affected segment
If CRL expired: certutil -CRL on issuing CA, push CRL to all distribution points immediately
For internal-only CDPs on internet-facing certs: republish cert with publicly accessible CDP (Azure Blob, S3, or CDN-hosted CRL)
Enable OCSP stapling on web servers to eliminate per-client OCSP round-trips
Configure Windows Group Policy to skip revocation checking for specific scenarios if immediate fix is needed (Document this as a temporary workaround)

Prevention

Monitor CRL validity expiry and alert at 50% of validity period (not just near expiry)
Host CRL/OCSP endpoints on highly-available infrastructure — a CA outage should not block authentication
For internet-facing certs: ensure CDP URLs resolve from the public internet, not just internal DNS

Tools

certutil -url / certutil -verify / certutil -CRL
openssl s_client -connect <host>:443 -status (OCSP stapling check)
Windows CAPI2 Event Log (Event ID 82)
PowerShell: [System.Net.ServicePointManager] — disable OCSP checking temporarily for diagnosis
Wireshark/netstat — capture OCSP/CRL traffic

pkiocspcrlcertificate-revocationcapi2tlssslcertutilcacertificates