Let's Encrypt with Microsoft Remote Desktop - Revocation Checks Causing Errors

My solution:

EDIT2: something seems to be wrong with my User Profile. If I create a new user on my Win7 Workstation and connect using that one there is no warning and the lock appears normally. If I find out what it is I will update here.
It’s not “certutil -urlcache”. I’ll keep searching.

EDIT3: After growing a few more grey hairs I got it. Clearing the various caches (ocsp and crl) didn’t help. What finally did was this: certutil -url <DER encoded certificate file>
That opens a little GUI. I clicked on all the retrieve options and bingo. No more errors on connecting. Very, very strange.

Original question:

I have recently switched from a StartSSL SAN certificate to an (almost) identical LE certificate. Now my RDP Clients are showing this warning you have to ignore before allowing the connection: “a revocation check could not be performed for the certificate”

The only differences I can see between the two certificates is the “CRL Distribution Points” Field which is missing on the LE cert. And the CN which is set to a different subdomain (also the C / country field is not set on the LE cert).
The SAN are the same (different order though) and a check with https://certificate.revocationcheck.com shows no problems except for some HTTP header problems on http://crl.identrust.com/DSTROOTCAX3CRL.crl which I don’t think are relevant.

Does anyone have a working setup of a Windows 2012 RemoteApp/Session Host/Connection Broker/RD Gateway with a LE Certificate and could give me some tips?

I hope the problem isn’t the CRL field, because I have no way to influence that. Or is there a way to get a cert with a CRL-URL attached?

EDIT: The error seems to be limited to Windows 7 Clients (yes the latest RDP Client with 8.1 Protocol is installed). I had no such message on Windows 10 (1607). The lock icon on the connection bar shows up on Win10 and you can check the certificate with it. On Win7 it does no longer show up.

hi @clst

Usually a quick search on the forum would help out

Using Let's Encrypt to secure Windows Remote Desktop connections - #5 by ahaw021

Also try to avoid abbreviation as people might not know what MS RDP is.


Thanks for the reply. The issue was none of those checks failed and the problem didn’t exist on computers that had never connected before.
My guess is that it’s a problem with stale cached OCSP or CRL responses in the Windows user profile.
I will check if certutil -verify -urlfetch cert.cer will fix it and update the OP with this solution. Then it can be “googled” easier.
I searched for 2 days before posting. Windows can break in mysterious ways.
The workaround I posted in EDIT3 worked on two Windows 7 PCs so far.

hi @clst

Do you have the Let’s Encrypt Intermediate installed on the server?


Do you mean Let’s Encrypt Authority X3? Thumbprint ‎e6 a3 b4 5b 06 2d 50 9b 33 82 28 2d 19 6e fe 97 d5 95 6c cb
Yes it’s installed. I am pretty sure the problem was client-side though. (And additionally had nothing to do with LetsEncrypt but with Windows’ weird OCSP/CRL caching due to the swapped out certificate)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.