EDIT2: something seems to be wrong with my User Profile. If I create a new user on my Win7 Workstation and connect using that one there is no warning and the lock appears normally. If I find out what it is I will update here.
It’s not “certutil -urlcache”. I’ll keep searching.
EDIT3: After growing a few more grey hairs I got it. Clearing the various caches (ocsp and crl) didn’t help. What finally did was this:
certutil -url <DER encoded certificate file>
That opens a little GUI. I clicked on all the retrieve options and bingo. No more errors on connecting. Very, very strange.
I have recently switched from a StartSSL SAN certificate to an (almost) identical LE certificate. Now my RDP Clients are showing this warning you have to ignore before allowing the connection: “a revocation check could not be performed for the certificate”
The only differences I can see between the two certificates is the “CRL Distribution Points” Field which is missing on the LE cert. And the CN which is set to a different subdomain (also the C / country field is not set on the LE cert).
The SAN are the same (different order though) and a check with https://certificate.revocationcheck.com shows no problems except for some HTTP header problems on http://crl.identrust.com/DSTROOTCAX3CRL.crl which I don’t think are relevant.
Does anyone have a working setup of a Windows 2012 RemoteApp/Session Host/Connection Broker/RD Gateway with a LE Certificate and could give me some tips?
I hope the problem isn’t the CRL field, because I have no way to influence that. Or is there a way to get a cert with a CRL-URL attached?
EDIT: The error seems to be limited to Windows 7 Clients (yes the latest RDP Client with 8.1 Protocol is installed). I had no such message on Windows 10 (1607). The lock icon on the connection bar shows up on Win10 and you can check the certificate with it. On Win7 it does no longer show up.