Revocation Status of Domain Controller Certificate Not Determined After Updating KDC Certificate

  • Error shown to the user: The revocation status of the domain controller certificate used for the smart card authentication could not be determined.

Due to the Windows CRL cache, the error in Revocation status of Domain Controller certificate could not be determined might persist even if the KDC certificate has been updated to include the proper accessible HTTP CRL DP or the expired CRL has been replaced with a valid one.

Potential Solution

Ensure that the Windows cache doesn't interfere with the CRL validation.

Windows maintains a persistent negacache for CRL queries, which may cause validation to fail locally if it has failed previously. This system cache survives reboots and cannot be cleared using the certutil command. However, it can be cleared manually.

Manually delete the cached CRL files by removing them from:

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\

Note that if CRL responses are cached, revocation may not be noticed. For OCSP, responses are held for the validity period of the CRL or the OCSP response signing certificate (whichever is shorter).

Was this page helpful?