Unable to import a certificate from Safeguard with error: "Certificate chain is not trusted. Reason: (OfflineRevocation) The revocation function was unable to check revocation because the revocation server was offline." (4259951)

Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

Unable to import a certificate from Safeguard with error: "Certificate chain is not trusted. Reason: (OfflineRevocation) The revocation function was unable to check revocation because the revocation server was offline."
Description

Unable to import certificate into Safeguard with error:
"Certificate chain is not trusted. Reason: (OfflineRevocation) The revocation function was unable to check revocation because the revocation server was offline." or
"Request to https://x.x.x.x/service/core/v2/SslCertificates failed with status code 400 (Bad request)."
Cause

When importing the certificate Safeguard attempts to connect to all the Certificate Revocation List (CRL) points on the imported certificate. If Safeguard is unable to contact to any point, certificate import will fail.
Resolution

STATUS

Upgrade to Safeguard 2.10 or above. Safeguard 2.10 no longer checks the revocation list when installing the SSL certificate.

WORKAROUND 1
There should only be a single HTTP extension in the signed certificate. An LDAP or FILE extension should not be present when importing the certificate to Safeguard. Safeguard should be able to access the HTTP address without requiring authentication or a proxy.

Validate that Safeguard (or a non domain server) can access the CRL points of the certificate. (To view the points of the cert double click on the certificate -> Details -> CRL Distribution Points).

WORKAROUND 2

Remove all the CRL Distribution points when issuing the certificate from the CA
For example when using a Microsoft CA
- Navigate to your Microsoft Certificate Authority
- Right click your Certificate Authority Sever Name > Properties > Extensions > Ensure CRL is selected
- Make a note of the current settings
- Untick "Include in the CDP extension of issued certificates" for each extension (e.g. file | http | ldap and c:\windows\system32…)
- Click Apply
- Regenerate the CSR from Safeguard
- Ensure there are no CRL Distribution points within the signed certificate.
- Upload the signed certificate to Safeguard.
- Revert the CA changes
Change Request

796288

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Request a KB Article

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Unable to import a certificate from Safeguard with error: "Certificate chain is not trusted. Reason: (OfflineRevocation) The revocation function was unable to check revocation because the revocation server was offline." (4259951)

Title

Description

Cause

Resolution

Change Request

Leave a Comment