0 Replies Latest reply on Oct 4, 2016 10:43 AM by fjleon1980

    Acrobat Reader DC fails to check Certificate Revocation List (CRL). How to fix?


      Hello everyone. I have installed Active Directory Certificate Services, with the web component.

      I have deployed the CA certificate to the machines and i can effectively see the certificate in mmc being trusted.

      I create a user certificate with MMC and sign digitally a PDF with acrobat reader DC. However acrobat complains that it can't check if the certificate has been revoked, with the following error:

      Error when downloading the CRL list
      Location: ldap:///CN=MY_CA_NAME,CN=SERVER_NAME,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Con figuration,DC=MY_DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionP oint 
      Cannot connect to server.

      However, on the same machine when using certutil -url with that complete ldap url, here's what i get:

      I click the "recover" button with the CDP option checked (it's the default) and i do get both the base CRL and difference without errors. I do get a warning that says that the certificates or CRL have not been thoroughly checked because they may be incoherent or don't have the extensions loaded to allow a correct check.

      The CA server is on win 2012r2, the client is windows 10 1607, however i have checked other clients. These are all in our company domain, with my domain user account.

      Additionally, i can go to http://my_server/certsrv and i do get the website where i can check the CRL and it downloads correctly as well.

      Note that i do NOT have the Online Responder role feature installed. I didn't install it because this same configuration seemed to work in a virtual 2012r2 server /win 7 client on virtualbox.

      On my virtual server and client, adobe says that the certificate does not provide information on how to verify that the certificate has been revoked, but i really don't care about that, i only care than when i click on "verify signature" it says that it is VALID.

      How can i fix this?