I'm using certutil to debug certificate issues.
On all of our servers except one I can use the following command to succesfully check any certificate:
certutil.exe -f -urlfetch -verifiy certificatefilename.cert
On one of our servers this command fails (for any certificate) with errors like the following:
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS
FORBIDDEN)
http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS
FORBIDDEN)
http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl
---------------- Certificate OCSP ----------------
Failed "OCSP" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS
FORBIDDEN)
http://ocsp.comodoca.com
Strangely enough when I access these URLs via a browser (on the same server) the files are downloaded without issue (for example the following certificate revocation list can be downloaded without any problem: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl)
I've checked the following:
- IP settings are comparable on all servers
- proxy settings are the same on al servers
- I'm logged in with the same user account on both servers
- it happens on both elevated and non-elevated command prompts
What could be causing the 403 errors?
You should also check system proxy by using command
certutildoesn't use IE proxy so maybe this will be the difference.