Error Code: 500 Internal Server Error. The certificate is revoked. / TMG 2010 Publishing with CA Client Auth / Online Sub CA with CDP and Offline Root CA without CDP


  • Hello together, 

    i have the following problem: 

    i wants to publish a website over tmg 2010 with https and listener activated for Certificate Client Auth for a special Client Cert Trust List... 

    I have a User Cert with the line up to an Sub Cert (with CDP reachable from tmg) and and offline root CA Cert without CDP in the root Cert.

    so i habe the Problem with my User Cert that i get the error: "Error Code: 500 Internal Server Error. The certificate is revoked".

    What can i do against this ?

    In TMG i get this error in the AltertsTab:

    Description: The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and Forefront TMG was unable
    to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs). 

    I already read about this problem this "As HowTo said, Microsoft (paradoxically) expects the Root CA's certificate to have a CDP [Eek!] . Once this has been done, then the entire certificate chain will be validated." Link to Forum

    Also ive found this post:

    So but i think that cannot be the solution... 

    What else can i do ?




    Tuesday, July 03, 2012 11:54 AM


All replies

  • Hi,

    From the error message, it's related to CRL, TMG does not accept client cert as TMG thinks client cert was revoked.
     You could try to open IE on TMG server, and ensure you can download CRL.


    James Yi 

    Thursday, July 05, 2012 6:04 AM
  • Not sure if you guys have sorted this.

    I had a similar issue which ended up being that the certificate for the Intermediate had been installed into the Untrusted Publishers in IE on the TMG. I removed it from there and everything started working.


    Monday, August 20, 2012 4:08 AM