Forum Discussion
Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important th...
“ERR_CERT_NO_REVOCATION_MECHANISM” means the certificate has no revocation mechanism, I.e., no CRL or OCSP reference.
I can imagine some CAs issue short-lived certificates and thus provide no means to revoke them. Letsencrypt would be an obvious example, but they *do* provide revocation means via OCSP.
Google, too, issues short-lived (3 months long) certificates for www.google.com but they, too, provide OCSP and CRL in their certificates, at least, for me.
Could it be you are using some middle box (e.g., PaloAlto Networks or Cisco firewall) on your network or antivirus on your computer that does https interception and substitutes certificate with their own? To confirm that, can you view the certificate you get and check if it’s really Google’s? Google certificate is issued by GTS CA which is issued by GTS Root R1. You can inspect real certificates via https://www.ssllabs.com/ssltest/
I can imagine some CAs issue short-lived certificates and thus provide no means to revoke them. Letsencrypt would be an obvious example, but they *do* provide revocation means via OCSP.
Google, too, issues short-lived (3 months long) certificates for www.google.com but they, too, provide OCSP and CRL in their certificates, at least, for me.
Could it be you are using some middle box (e.g., PaloAlto Networks or Cisco firewall) on your network or antivirus on your computer that does https interception and substitutes certificate with their own? To confirm that, can you view the certificate you get and check if it’s really Google’s? Google certificate is issued by GTS CA which is issued by GTS Root R1. You can inspect real certificates via https://www.ssllabs.com/ssltest/
Based on what you said, I looked over my parameters and found the following setting:
"Specify if online OCSP/CRL checks are required for local trust anchors" Which we had set to Enabled. As per the explanation "If Microsoft Edge can't get revocation status information, these certificates are treated as revoked ("hard-fail")." The moment I set this back to Not Configured, everything started working again.
So thank you for your excellent assistance.
Since I can't mark two posts as Best Response, and since I got the help I needed from you and from mikhailf I hope you will both accept my thanks alone in this.
Mike Glassman