There should only be a single HTTP extension in the signed certificate. An LDAP or FILE extension should not be present when importing the certificate to Safeguard. Safeguard should be able to access the HTTP address without requiring authentication or a proxy.
Validate that Safeguard (or a non domain server) can access the CRL points of the certificate. (To view the points of the cert double click on the certificate -> Details -> CRL Distribution Points).
Remove all the CRL Distribution points when issuing the certificate from the CA