Troubleshooting "Certificate(s) have been revoked" Messages on the Internet Gateway
search cancel

Troubleshooting "Certificate(s) have been revoked" Messages on the Internet Gateway

book

Article ID: 424966

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Administrators may observe a warning message in the Symantec Management Platform Internet Gateway manager under the Servers tab stating: "X certificate(s) have been revoked." This often raises concerns regarding the health of Cloud Enabled Management (CEM) communications and whether active agents are being blocked from connecting.




Environment

ITMS 8.7.x, 8.8

Cause

The "Revoked certificate" message is an expected behavior of the ITMS certificate management process. When an agent certificate is discarded—such as during an agent uninstallation, machine retirement, or certificate renewal—the Symantec Management Platform (SMP or Notification Server (NS)) adds that certificate to a Certificate Revocation List (CRL). The Internet Gateway (IGW) downloads this list to ensure it does not allow connections from decommissioned assets. While this follows security best practices, a high volume of revoked certificates can occasionally lead to performance overhead on the Gateway.

The root cause is the standard lifecycle management of CEM agent certificates.

  1. By Design: Every time a CEM agent certificate is superseded or retired, it is added to the CRL to prevent unauthorized reuse of that specific certificate.

  2. Scalability: In large environments, the CRL grows significantly. 

Resolution

NOTE:
In versions prior to 8.8.1, the Gateway processed these lists in a manner that could cause performance degradation when the list became excessively large. That concern has been addressed with the changes coming with ITMS 8.8.1.

If the "revoked" count is high or you suspect Gateway performance issues, you can manually clear the CRL files. This resets the message and forces the Gateway to re-sync only the most current revocation data.

Step 1: Clear CRLs on the SMP Server

  1. Log in to the SMP Server as an Administrator.

  2. Open the MMC Console (Start > Run > mmc).

  3. Click File > Add/Remove Snap-in..., select Certificates, click Add, and choose Computer account.

  4. Navigate to Trusted Root Certification Authorities > Certificate Revocation List.

  5. Action: Right-click the SMP CA CRL, select All Tasks > Export (to keep a backup), and then Delete the CRL entry.

  6. Repeat this for Intermediate Certification Authorities > Certificate Revocation List if any SMP-related CRLs exist there.

Step 2: Clear CRLs on the Internet Gateway

  1. On the Internet Gateway server, open the Services snap-in (services.msc).

  2. Right-click Symantec Management Platform Internet Gateway and select Stop.

  3. Close the Internet Gateway Manager UI.

  4. Open File Explorer and navigate to:

    C:\Program Files\Symantec\SMP Internet Gateway\crl

  5. Action: Backup the contents of this folder to a different location, then delete all files within the \crl folder.

Step 3: Refresh Gateway Configuration

  1. Open the Internet Gateway Manager UI.

  2. Navigate to the Servers tab.

  3. Select the Notification Server entry.

  4. Click Remove, then click Add to re-establish the connection to the SMP (or click Refresh if the "Revoked" message clears immediately).

  5. Restart the Symantec Management Platform Internet Gateway service.

 

 

Validation Steps

  • Check IGW UI: The "Servers" tab should now show a status of "Connected" with 0 (or a significantly lower) number of revoked certificates or just saying "No revocations".

  • Log Verification: Check the Gateway logs located in C:\Program Files\Symantec\SMP Internet Gateway\logs for any "Failed to process CRL" errors.

Additional Information

 

 

Powered by Wolken Software