Client Authentication is failing on NetScaler and NetScaler reports the Certificate represented by client is Revoked.

 root@NS# nsconmsg -g ssl -d current
 NetScaler NS11.0: Build 64.34.nc, Date: Dec 22 2015, 19:30:52
 reltime:mili second between two records Thu Feb 11 06:08:51 2016
   Index  rtime totalcount-val   delta rate/sec symbol-name&device-no
       0    7002              3          1        0 ssl_err_clientAuth_certrevoked

 How can you check if the information in CRL file matches what Netscaler thinks to be revoked.

---

Instructions

If you are relying on use of CRL File's either using "CRL Auto Refresh" Feature or manually uploading CRL File every few days.
Here is how we can check if the CRL file used by Netscaler reports those Certificates as Revoked.

 root@Primary# openssl crl -inform DER -text -noout -in /var/netscaler/ssl/Cert-AD1-CA.crl | egrep "(Update|Revoked|Serial Number| Revocation Date)" --color=always
         Last Update: Feb 25 19:05:51 2016 GMT
         Next Update: Mar  4 07:25:51 2016 GMT
 Revoked Certificates:
     Serial Number: 2F00000023600E587C304C1334000000000023
         Revocation Date: Feb 11 20:24:00 2016 GMT
     Serial Number: 2F0000001C8B1F22DA7320BFE100000000001C
         Revocation Date: Feb 10 18:31:00 2016 GMT
     Serial Number: 2F0000001EACE799C0F894A05A00000000001E
         Revocation Date: Feb 10 17:40:00 2016 GMT
     Serial Number: 2F0000001B9156FABACB0A290500000000001B
         Revocation Date: Feb 10 13:56:00 2016 GMT
We can check back the Serial Number in the packet capture collected on the Netscaler when client sends his Certificate and verify the Certificate Serial Number over there.

 

Or we can even check this on Client Machine by opening his Cert Details and going to Details Tab and Serial Number.