Need help fixing NET::ERR_CERT_REVOKED Error while connecting to DevTest portal

Products

Service Virtualization

Issue/Introduction

While attempting to connect to the DevTest Portal URL, our users are seeing a NET::ERR_CERT_REVOKED error getting thrown by the Chrome browser. Only users which, are using the Chrome browser are seeing the error. Users, which use the Firefox browser are not having this issue. Please help us understand why this error is seen in Chrome, and what to do to correct the issue.

We have reviewed the certificate, and it seems like a valid certificate. It was recently renewed, when we updated our DevTest environment with new systems, The expiry date of the Certificate has not passed and therefore, the certificate has not expired. So why are we seeing this problem?

Environment

Release : 10.6

Component : CA Service Virtualization

Cause

When a Website has been configured to use SSL/TLS, as part of the security the certificate has to be verified to ensure the certificate is authentic, and not a malicious site pretending to be the site you are attempting to reach. Web browser tend to have their own methodology for how they validate certificates, which could be why only users using Chrome browsers are seeing the error. However, there are two methods that are generally used to validate the certificate:

Through the use of Certificate Revocation Lists (CRL). The list of all the revoked certificates is downloaded by the browser, If the certificate that the user is trying to use to reach a secure website is on the list, the NET::ERR_CERT_REVOKED error is displayed.
The use of Query by Using Online Certificate Status Protocol (QCSP). Here, the certificate of the website the user is trying to visit is queried by the browser, and if the query comes back as 'invalid' the ERR_CERT_REVOKED or ERROR_INTERNET_SEC_CERT_REVOKED error is seen.

Other common reasons a certificate may be revoked:

The site manager requested the certificate be revoked. This could be because the host system has been decommissioned, and a new server is now hosting the site.
The Certificate Authority has discovered misissuance of the certificate, and the certificate can no longer be trusted.
The private key has been compromised and the certificate is no longer secure.
A network, or DNS issue is blocking the local system from accessing the provider's CRL list, and the lookup/query cannot take place.

Resolution

In this instance, looking at the certificate that is causing the error, we found that the 'Subject' hostname belonged to an older system, which was decommissioned as part of the environment upgrade.

The first thing to help understand why we are seeing the revocation error, we need to look at the certificate details and find the URL of the CRL.

To locate the CRL URL:

Select the 'Details' tab of the Certificate
Scroll down and select the 'CRL Distribution Points'
Copy the URL to the CLR, and paste it into the browser.
If the browser is able to access the location of the CLR, it will download a copy of the CLR.
Navigate to where the CLR file was downloaded.
Double-click on the CLR file to open the Certificate Revocation List
In the 'Revocation List' tab you will see a list of the certificates, by their Serial Numbers, which have been revoked. You need to compare the certificate's Serial Number, to the Serial Numbers in the CLR to verify the certificate is found in the CLR. If the certificate serial number is found in the list, you can see when the certificate was added to the revoked list.
Reviewing the CLR list we see that the certificate was revoked on January 19, 2021. This likely happened when they decommissioned the older systems. Since the certificate was originally created under the old system, the Security team revoked all certificates related to the decommissioned system, which is a common practice to ensure these certificates cannot be hijacked by malicious applications, and pose as a valid hosting site.