Troubleshooting
Sometimes, the receiver has difficulty opening the encrypted message. Common sources of problems are:
- untrusted root CAs
- intermediate CAs that can't be validated
- CRLs that are not available or accessible
Untrusted CAs
In case you have untrusted root or intermediate CAs, verify the certificate chain and import/distribute the required CA certificates.
Verify Certificate Revocation List Chain
A certificate is by default invalid if the CRL (Delta-CRL) verification fails. This can happen due to:
- CRL not retrievable (e.g. wrong configuration or CRL server not reachable)
- CRL or Delta-CRL not renewed/updated within the defined time frame
Check if you can retrieve the CRL from the URL indicated in the known URL or the certificate itself with the following:
certutil -urlfetch -verify <FilenameOfCertificate> or
certutil -URL <URL or FilenameOfCertificate>