A revocation check could not be performed for the certificate

If this article helps you please consider a donation. I don’t like adds on my blog.

When you get the RDP error “a revocation check could not be performed for the certificate” on a windows 7 workstation after you installed an SSL from a certification, you must disable enablecredsspsupport support. You can do this in the RDP file you are using. Open the *.rdp file in notepad and add the following line:

enablecredsspsupport:i:0

If you are using TSWeb you can add this to the RemoteApp section.

You can check if the SSL work correctly when you click on the lock icon in the connection bar

You can also fix the problem itself by creating an SSL certificate trough the windows enterprise authority. Here are the steps:

Resolution
=======================

To recover from the CA failure, we tried the following procedures:

Procedure A: recover the CA. In this procedure, we tried the following steps:

1. setup a new Enterprise Root CA on a Windows Server 2008 Enterprise Edition box. The Steps of this procedure can be found at:

Install Active Directory Certificate Services
http://technet.microsoft.com/en-us/library/cc947821(WS.10).aspx

Refer:
Active Directory Certificate Services Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

2. Configure the CA’s CDP and AIA to publish the CRL and AIA to the Internet Address on your web server. We did this by creating a virtual directory mapping to the CA’s share “CertEnroll”. This can be done via the following step:

– Logon to the IIS Server which holds the Web Service in your network.
– Run Inetmgr to open the IIS management console.
– Under the default web site, we created a new Virtual Directory called “CertEnroll” and mapped it to the “CertEnroll” share on the CA. At the same time, we manually specific the account for this connection .
– Logon t o the CA and run “Certsrv.msc” to open the CA’s management console.

– Right click on the CA and select Properties.
– Switch to “Extensions” tab.
– In the Extension list, select “CDP” and then add a new CDP points to the Address we just created in the IIS and checked the option to add this extension to issued certificates.
– In the Extension list, select “AIA” and perform similar steps as we did for CDP.

Refer:
Configure CDP and AIA Extensions
http://technet.microsoft.com/en-us/library/cc776904(WS.10).aspx

Procedure B: Recover the TS Gateway Certificate. In this procedure, we tried the following steps:
1. Enable the SSL for the CA’s web enrollment page via the following steps:

– Open the MMC on the CA.

– Click File -> Add/Remove Snap-ins -> Certificates -> Computer -> Local Computer to load the local computer’s certificate store.
– Right on the Certificates | Personal | Certificates to request a new certificate from the new CA. Since we need to enable the SSL for the web site, we requested the Domain Controller

Certificate Template as this templates contains the “Server Authentication” in application policy.
–  Open the IIS Management console on the CA via “Inetmgr” command.
– Open the Web site hold the CA’s web enrollment.
– Click “Binding” and add a new binding for HTTPS and select the certificate we just requested.

2. Duplicate the Web Server certificate template.
– On the CA, run Certsrv.msc to open the CA’s management console.

– Right click on certificate templates and select Duplicate to duplicate it and name it “TS Gateway”.
– Mark the key as “exportable” for this template.

3. Request the certificate for the TS Gateway:
– Logon to the TS Gateway.

– Launch IE and access https://ca-name/certsrv.
– use the Advanced Request to request the “TS Gateway” certificate template and put the common name as the TS Gateway’s virtual name “safari-1.bbe.k12.mn.us”.
– Install the certificate.
– Open the User’s certificates store via the command “Certmgr.msc”.
– Right click the certificate we just requested and export it along with its private key to a PFX file.
– Launch IIS Management console via Inetmgr command.
– Right click on the Web site for TS Gateway and click “Server Certificates” to import the PFX file.
– Launch Server manager to open the TS Gateway’s console and then configure the new certificate we just requested for the TS Gatway.

Procedure C: recover the nodes in the TS Farm.
1. Request Certificates for the TS Farm nodes:

– Logon to the TS Farm nodes.

– Launch IE and access https://ca-name/certsrv.
– use the Advanced Request to request the “TS Gateway” certificate template and put the common name as the TS Farm virtual name “safari-1.bbe.priv”.
– Install the certificate.
– Open the User’s certificates store via the command “Certmgr.msc”.
– Right click the certificate we just requested and export it along with its private key to a PFX file.

2. Configure the Certificate for the TS nodes.
– Open the TS management console.

– Right click on the RDP interface to specify the new certificate for those nodes in the Properties page.

More Information
==================================

For clients, they can access the TS Gateway and would receive a warning indicating the certificate is not trusted. They can check the certificate chain by click “view certificate”. Meanwhile, they can also access the AIA directly  to download the Root CA’s certificate and install it on the client:http://domain-name/certenroll/Jaguar6.bbe.priv_bbe-ca.crt

If this article helps you please consider a donation. I don’t like adds on my blog.

Author: Thomas Faddegon

Bla bla bla

  • dennisapol

    that single line is just what i needed!!
    thanks mate..

  • anon

    The one line edit worked perfectly. Thank you!

  • Bert

    Glad that wapnet could help !!

    Thanks.

  • Kay

    Thanks, this solved my problem.