SSL Visibility - How to resolve the certificate revocation security alert

book

Article ID: 169185

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

User begins getting the following error on Internet Explorer on certificate resigning SSL:

"Revocation information for the security certificate for this site is not available. Do you want to proceed?

Yes \ No \ View Certificate"
 

Cause

This could mean that when a client on Internet Explorer receives a certificate it will send an OCSP (Online Certificate Status Protocol) request to verify if the certificate has been revoked to an OCSP server. If the Internet Explorer browser is not able to determine if it has been revoked and the browser is configured to expect an OCSP response, it provides this warning message.

Why is Chrome not affected:
Chrome is not affected because Chrome disabled OCSP checks by default in 2012, citing latency and privacy issues.

Resolution

To avoid the error, do the following:

  • Disable the OCSP check in IE

Internet Explorer > Tools> Internet options> Advanced - Uncheck the 'Check for server certificate revocation' option.

After unchecking the 'Check for server certificate revocation' option the windows system will need to be rebooted for this option to take effect.  This is noted in the browser internet options window, "*Takes effect after you restart your computer".

 

  • Remove CRL/OCSP disk cache entries on the client machine. From the Windows command line run:

> certutil -urlcache CRL delete
> certutil -urlcache OCSP delete

 

  • Perform "Clear SSL state" in Internet Explorer > Internet Options > Content.

If the steps above don't help, it will be necessary to clear the certificate resigning cache on the SSL Visibility appliance:

On appliances running versions prior to 3.9.6.1, it is necessary to perform a factory reset since this cache is persistent to disk.
When running 3.9.6.1 and higher, the certificate resign cache is cleared upon a reboot and is *not* persistent on the disk anymore. Factory reset procedure is thus not necessary.
 
IMPORTANT: Remember that a factory reset will wipe the current configuration, and the SSL Visibility appliance will need to be bootstrapped again, so ensure that you back up everything on the appliance before proceeding.