I'm working on an internal app that's being upgraded by the vendor, and they told me I now need a real SSL certificate, as self-signed ones won't work anymore. We opted for DigiCert's Private SSL certificate and imported it into our server. However, when testing the key, I encountered an error stating: "Unable to check the revocation status of the intermediate certificate." I'm not sure what went wrong, and I'm looking for guidance on how to fix this issue. Any suggestions?
5 Answers
Have you checked with your software vendor yet? If you're behind a proxy, you may need to include the proxy server details in your SSL configuration.
The error message itself hints at the problem: the revocation check failed. So take a good look at where the Certificate Revocation List (CRL) is pointing to and make sure it’s accessible.
First, you should challenge the vendor on this one. Remember, self-signed certificates are valid too. It sounds like there might be an issue with importing the Certificate Authority (CA) properly. Make sure you have the whole chain linked correctly up to the root certificate.
Don’t forget to include the CA bundle with your certificate! Open the certificate in a text editor and append the entire CA bundle right below your certificate content.
You need to make sure you're bundling all public certificates up to the root in the .pem file. This way, the application has access to the entire certificate hierarchy. If you're working with an airgapped system, just be aware that CRL checks might not function as expected. If you're interested, check out Vault for a self-hosted Certificate Authority setup.
Actually, you can manage CRLs in an airgapped environment quite safely. There are ways to do store-and-forward CRL info without exposing other data. Check out this white paper from Agilicus for some insights!