Troubleshooting SSTP VPN Revocation Check Failures: CRL Server Offline Error 0x80092013


11 views

When your Windows client attempts to establish an SSTP VPN connection, it performs certificate revocation checking through the Certificate Revocation List (CRL) distribution points embedded in your certificate. The error 0x80092013 occurs when:

  • The CRL URLs point to inaccessible internal network addresses
  • The client cannot reach the CRL distribution server
  • The certificate chain validation fails due to missing intermediate certificates

First, verify your CRL accessibility from external networks using PowerShell:


# Check certificate's CRL distribution points
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*vpn.yourdomain.com*"}
$cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "CRL Distribution Points"} | Select-Object -ExpandProperty Format

# Test external CRL URL accessibility
Invoke-WebRequest -Uri "http://mydomain.com/CertEnroll/MYSERVER-CA.crl" -UseBasicParsing

For SBS 2011, you need to properly configure the Certification Authority:

  1. Open Certification Authority MMC snap-in
  2. Right-click your CA → Properties → Exit Module tab
  3. Click Configure → Check "Allow revocation errors to be ignored"

If you can't make the CRL server externally accessible, consider these workarounds:


# Disable revocation checking via registry (not recommended for production)
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCRLCheck" -Value 1

# Or use Group Policy:
Computer Configuration → Windows Settings → Security Settings → Public Key Policies
→ Certificate Path Validation Settings → Revocation → Select "Define these policy settings"
→ Uncheck "Check for certificate revocation"

The correct approach involves generating a certificate with proper CDP configuration:


# Sample certreq.inf for SSTP certificate
[NewRequest]
Subject = "CN=vpn.yourdomain.com"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=vpn.yourdomain.com&"

[CRLDistributionPoint]
URL="http://crl.yourdomain.com/CertEnroll/CA.crl"

Ensure these ports are open for CRL checking to work properly:

  • TCP 80/443 for CRL downloads
  • TCP 135, 445 for RPC connectivity (if using internal paths)
  • ICMP for network reachability tests

When configuring SSTP VPN connections with Windows Server, certificate validation is often the most problematic aspect. The specific error 0x80092013 indicates the client cannot verify whether your certificate has been revoked because it can't reach the Certificate Revocation List (CRL) distribution point.

Your SBS 2011 server's CA automatically publishes CRLs to internal locations by default. Even after adding external CDP URLs, several configuration elements must align:

  • The CRL must be properly published to the external URL
  • The AIA (Authority Information Access) extension must be configured
  • Client-side certificate validation settings may need adjustment

1. Verify CRL Publishing:
On your SBS 2011 CA server, run this PowerShell command to force CRL publication:

certutil -crl

2. Validate External Access:
Use this PowerShell test from an external machine:

Invoke-WebRequest -Uri "http://mydomain.com/CertEnroll/MYSERVER-CA.crl" -UseBasicParsing

3. Configure IIS for CRL Distribution:
Ensure your IIS has a virtual directory for CertEnroll with proper MIME types:

New-WebVirtualDirectory -Site "Default Web Site" -Name "CertEnroll" -PhysicalPath "C:\Windows\System32\CertSrv\CertEnroll"
Set-WebConfigurationProperty -Filter "/system.webServer/staticContent" -Name "." -Value @{fileExtension='.crl';mimeType='application/octet-stream'}

For testing purposes, you can temporarily disable CRL checking on the client:

# PowerShell command to modify local policy:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Cryptography" -Name "ChainCacheResyncFiletime" -Value 0

For production environments, create a Group Policy to manage certificate validation:

# GPO configuration path:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings

For modern environments, consider implementing OCSP stapling which doesn't require client-side CRL checks:

# Sample configuration for Windows Server 2012 R2 and later:
Add-WindowsFeature Web-OCSP -IncludeManagementTools
New-WebApplication -Name "ocsp" -Site "Default Web Site" -PhysicalPath "C:\Windows\System32\ocsp"

If you're using custom certificate templates, ensure they include external CDP URLs:

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl\n10:http://mydomain.com/CertEnroll/%3%8%9.crl\n2:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n3:http://mydomain.com/CertEnroll/%3%8%9.crl"
net stop certsvc && net start certsvc

Remember that changes to the CA configuration require certificate reissuance to take effect.