In some cases your air gapped environment does not allow Certificate Revocation List checking. This can occur if you have a server which has never been able to fetch the CRL. This can cause an issue installing, but not running, the Agilicus Connector.

If you see an error like “The revocation function was unable to check revocation for the certificate” when you paste the installation command for the Agilicus Connector, add the parameter “–ssl-no-revoke” to the curl component. This will vary a little bit depending on your platform, but below is an example for a Windows platform:

curl --ssl-no-revoke -sSL -o "%TEMP%\aa.exe" https://www.agilicus.com/www/releases/secure-agent/stable/agilicus-agent.exe && "%TEMP%\aa.exe" client --install --challenge-id XXXX --challenge-code XXXX && del "%TEMP%\aa.exe"

Once installed, this will not be a problem again.

If you wish to verify the Agilicus Connector executable, it is digitally signed.

We discuss this problem a bit more, and a generic solution for other components in “Locked-Down Networks Certificate Revocation“. If you are looking for a general purpose secure firewall solution that can forward Certificate Revocation, and only Certificate Revocation (including OCSP) without fixed IP address lists, please contact us, we have a full solution in this area.