FAST ESP / Admin GUI is not working "organizations certificate has been revoked"

Article translations Article translations
Article ID: 2514825 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When trying to access Microsoft ESP from Internet Explorer by using the Admin GUI via HTTPS, the following error message may be seen:

“organizations certificate has been revoked”

CAUSE

This problem occurs because the ESP certificate is no longer valid and it has been revoked from the certificate server. When one tries to access the site, Internet Explorer checks whether the SSL certificate is valid.

The "Check for server certificate revocation" feature is enabled on the browser in which the connection failed. This is true because the certificate for this particular ESP server was revoked by the certificate server.

WORKAROUND

To work around this problem, use one of the following methods:

Method 1: Disable the certificate revocation check

 To disable the "Check for server certificate revocation" feature in Internet Explorer, follow these steps:
  1. On the Tools menu, click Internet Options.
  2. Click the Advanced tab.
  3. Under Security, click to clear the "Check for server certificate revocation" check box, and then click OK.

Method 2: Unrevoke or reissue the certificate

 Ask the certification authority (CA) provider to unrevoke or reissue the ESP server certificate for the affected ESP Server.

More Information

For more information about certificate revocation and certificate status checks, see the following topic on the Microsoft TechNet website:
Certificate Revocation and Status Checking

Certificate status checking

When a program requests the certificate chaining engine to evaluate a certificate, the validation is performed on all certificates in that certificate’s chain. This includes every certificate from the root certificate to the leaf certificate that is presented to the program.

When the first certificate in the chain is validated, the following steps occur:
  • The chaining engine tries to find the certificate of the CA that issued the certificate that is being examined. The chaining engine then inspects the local system certificate stores to find the parent CA certificate. The local system stores include the CA store, the Root store, and the Enterprise Trust store. If the parent CA certificate is not found in the local system certificate stores, the parent CA certificate is downloaded from one of the URLs that are available in the inspected certificates AIA extensions. The paths are currently built without signature validation because the parent CA certificate is required to verify the signature on a certificate that is issued by the parent CA.
  • For all chains that end in a trusted root, the chaining engine validates all certificates in the chain. In this process, the chaining engine performs the following actions:
    • Verifies that each certificate’s signature is valid
    • Verifies that the current date and time fall within each certificate’s validity period
    • Verifies that each certificate is not corrupted or malformed
  • Each certificate in the certificate chain is checked for revocation status. The local cache is checked to see whether it contains a time-valid version of the base Certificate Revocation List (CRL) for the issuing CA. If the base CRL is not available in the local cache, or if the version in the local cache has expired, the base CRL is downloaded from the URLs that are available in the CRL distribution point extension of the evaluated certificate. If available, it is confirmed that the certificate’s serial number is not included in the CA’s base CRL.
A root certificate contains the same distinguished name (DN) for both the Subject and Issuer attributes. If a root certificate is found, a revocation check may occur. By default, the program enables the CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT flag. If this flag is selected, the root CA’s certificate is not checked for revocation. If the flag is not enabled, the root CA certificate is checked for revocation if the root CA certificate includes the CDP extension. If the CRL distribution point extension is not included, no revocation check is performed.
Note Windows XP RTM and Windows XP Service Pack 1 (SP1) perform revocation checking as the chain is built instead of performing revocation checking only on chains that end at a trusted root CA.
If the base CRL contains the most current CRL extension, the local cache is checked to see whether a time-valid version of the issuing CA’s delta CRL is available in the cache. If a time-valid version is available, it is confirmed that the certificate’s serial number is not included in the CA’s delta CRL. If the delta CRL is not available in the local cache, or if the version in the local cache has expired, the delta CRL is downloaded from the URLs available in the CDP extension of the evaluated certificate.

Warning If delta CRLs are enabled at a CA, both the base CRL and the delta CRL must be inspected to determine the certificate’s revocation status. If either CRL is unavailable or if both CRLs are unavailable, the chaining engine reports that revocation status cannot be determined. In this case, a program may reject the certificate.

After the validation check is completed, the certificate chaining engine returns the results of the validation check to the calling program. The results indicate that one of the following is true:
  • All certificates in the chain are valid
  • The chain terminates at a non-trusted root CA
  • One or more certificates in the chain are not valid
  • The revocation status for one or more certificates in the chain cannot be determined
Note If any certificate in the chain cannot be validated or has been revoked, the status of the whole chain is set to match the status of that one certificate.

Properties

Article ID: 2514825 - Last Review: March 11, 2011 - Revision: 3.0
APPLIES TO
  • FAST ESP
  • FAST ESP 5.0.9
  • FAST ESP 5.1.5
  • FAST ESP 5.2
  • FAST ESP 5.3
Keywords: 
KB2514825

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com