• 4

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once


I have a set of internal company websites, which need to have TLS certificates. I went through a whole bunch of tutorials, and ended up using OpenSSL to create a self-signed root certificate. I then used this certificate to sign server certificates for the internal websites.

Finally, I manually added the root cert to the Trusted Root stores and Keychains on all of our computers. All seemed to be well. The websites all showed the green padlock. However, I found a problem today.

The Problem

One of the internal sites is an installation of Github Enterprise. I tried connecting to it with the GitHub Desktop program, and I got this message:

enter image description here

schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Frankly, I have no idea what to do to fix this. Any help would be appreciated, even if it's just how to bypass the error.

  1. When a certificate authority issues a certificate to a secure website that certificate typically contains information that allows the client browser to validate that the certificate was not issued in error (or compromised) and subsequently revoked by the certificate authority.
  2. Certificate Authorities (CAs) are required to keep track of the SSL Certificates they revoke. After the Certificate Authority (CA) revokes an SSL Certificate, the CA takes the serial number of the certificate and adds it to their certificate revocation list (CRL). The URL to the Certificate Authority’s certificate revocation list is contained in each SSL Certificate in the CRL Distribution Points field.

Next step (not covered by error now, but will appear next)

  1. To check the revocation status of an SSL Certificate, the client connects to the URLs and downloads the CA's CRLs. Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn't been revoked.

Thus, you must

  • Have "CRL Distribution Points" in all issued by you certificates (see the x509v3_config manual page for details of the # extension section format)
  • Fill "CRL Distribution Points" with valid data
  • Have list in correct (understandable by client's tools) format
  • 0
Reply Report
      • 1
    • From the research I've been doing, CRLs are in the process of being depreciated in favor of OCSP+Stapling. But in general, I think you are right. The root of my problem is that I'm not handling revocation.

Trending Tags