Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

If you use Microsoft Internet Security and Acceleration (ISA) Server 2004 to publish a secure sockets layer (SSL) Web site of a Web server, clients may receive the following error message:

Error Code: 500 Internal Server Error. The certificate is revoked. (-2146885616)

Cause

This problem occurs if the following conditions are true:

  • Certificate Revocation List (CRL) checks are enabled in ISA Server 2004. For additional information about how to enable CRL checks in ISA Server 2004, see the "More Information" section later in this article.

  • SSL Client Certificate authentication is enabled on the Web Publishing Rule. For additional information about how to enable SSL Client certificate authentication in ISA Server 2004, see the "More Information" section later in this article.

  • The root certificate where the SSL Server Certificate on the ISA Server 2004 Web Listeners is derived from has no CRL distribution points. For additional information about how to verify that the root certificate has no CRL distribution points, see the "More Information" section later in this article.

Resolution

Service pack information

To resolve this problem, obtain and install the latest service pack for Internet Security and AccelerationServer 2004.

Workaround

To work around this problem, manually download the CRL, and then install it to the local computer certificate store.



Note Because the CRL is valid only for a limited time, you must periodically retrieve a new CRL.



To install a CRL to the local computer certificate store, follow these steps:

  1. Log on to the computer as a member of the local administrators group.
     

  2. Open the Certificates snap-in for the computer account. To do this, follow these steps:
     

    1. Click Start, click Run, type mmc, and then click OK.
       

    2. On the File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
       

    3. In the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears.
       

    4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
       

    5. Click Computer account, and then click Next.
       

    6. Click Local computer, and then click Finish.
       

    7. Click Close, and then click OK.

  3. Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.

  4. Follow instructions in the wizard to complete the installation.

More Information

How to verify that the root certificate has no CRL distribution points


 

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. Click Add, click Certificates, click Add, click Computer account, click Next, click Finish, click Close, and then click OK.

  4. Expand Certificates, click Trusted Root Certification Authorities, and then click Certificates.

  5. Double-click the root certificate of your certificate chain where the ISA Server 2004 SSL Server certificate derives from.

  6. In the Details tab, verify that a CRL distribution points field not available.

     

How to configure CRL checks in ISA Server 2004

  1. To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. Expand your ISA Server, expand Configuration, and then click General.

  3. In the middle pane, click Specify Certificate Revocation.

  4. Click to select the Verify that incoming client certificates are not revoked check box, and then click OK.

How to enable Client Certificate authentication on ISA Server 2004


 

  1. To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. Expand your ISA Server, and then click Firewall Policy.
     

  3. In the middle pane, right-click the rule that you want to configure, and then click Properties.

  4. In the Listener tab, click Properties.
     

  5. In the Preferences tab, and then click to select the Enable SSL check box.

  6. Click OK two times.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×