Troubleshooting

Sometimes the receiver has difficulty opening the encrypted message. The three most likely sources of problems in this area are untrusted root CAs, intermediate CAs that can't be validated, and CRLs that are not available or accessible.

Untrusted CAs

In case you have untrusted root or intermediate CAs, verify the certificate chain and import/distribute the required verified CA certificates.

Verify Certificate Revocation List Chain

A certificate is by default invalid if the CRL (Delta-CRL) verification fails. This can happen due to

CRL not retrievable (e.g. wrong configuration or CRL server not reachable)
CRL or Delta-CRL not renewed/updated within the defined time frame
Check if you can retrieve the certificate revocation lists from the URL indicated in the known URL or the certificate itself with the following:

certutil -urlfetch -verify <FilenameOfCertificate> or 
certutil -URL <URL or FilenameOfCertificate>

Untrusted CAs​

Verify Certificate Revocation List Chain​

Untrusted CAs

Verify Certificate Revocation List Chain