Can I find out what certificate revocation server an application is contacting?

Question

I'm trying to install an application on a machine running Windows XP Pro.

There are two different servers being contacted, both using the same wildcard certificate (GoDaddy). One via https, one via net.tcp with ssl. Both are WCF services.

The first (via https) worked fine from the beginning. The TCP connection, however, fails with the error message "The revocation function was unable to check revocation because the revocation server was offline"

We got the IT guy to temporarily disable the proxy, and the TCP connection was successful, but he can't leave it off forever and we need to figure out what revocation server is being used.

According to this article on GoDaddy's support site (http://support.godaddy.com/help/article/6723/verifying-a-certificates-validity-on-your-computer), you need to have one of these open for the revocation check to succeed:

crl.godaddy.com
certificates.godaddy.com
crl.starfieldtech.com
certificates.starfieldtech.com

We can ping them all just fine with the proxy running, but the TCP connection doesn't work.

How do I troubleshoot this? Is there a good way to figure out what CRL the app is attempting to contact?

score 4 · Answer 1 · answered May 16 '13 at 18:20

4

Open the site in your browser, open the View Certificate (usually clicking the Lock icon or similar, varies by browser). Details tab, CRL Distribution Points should be in the list with the URL(s).

answered May 16 '13 at 18:20

Chris S

77,337
11
120
212

score 3 · Answer 2 · answered Oct 22 '13 at 11:23

Another option is to clear out the url cache in certutil and check it again after you've made a successful connection:

certutil -URLcache * delete

and then

certutil -URLcache

If you're running XP, then you might need to install certutil first:

http://support.microsoft.com/kb/934576

score 0 · Answer 3 · answered May 16 '13 at 19:22

0

Agree with Chris S. But also, to actually watch what it's contacting, fire up Microsoft's Process Monitor and turn off everything apart from network monitoring.

answered May 16 '13 at 19:22

Simon Catlin

5,222
3
16
20

score 0 · Answer 4 · answered Oct 22 '13 at 11:30

0

With regard to your underlying problem, it's worth checking the proxy is correct for WinHttp, as it can have different settings than those used by a browser.

On XP:

proxycfg

On Vista/7:

netsh winhttp show proxy

answered Oct 22 '13 at 11:30

rob

31
1

Can I find out what certificate revocation server an application is contacting?

4 Answers4