0x537461746943 writes: "About 1:30am a few customers that use our secure web servers started getting CRL (Certificate Revocation List) verification failed messages. It turns out the CA (certificate authority) we use had an issue with the updating the CRL which caused browsers to fail CRL verification. IE's default for 'Check for server certificate revocation' is off but the CRL that failed was the publishers certificate revocation list (Check for publisher's certificate revocation) which defaults to on for IE. The CA fixed the issue but now we have CRL caching issues. We have to wait for them to expire or tell customers to manually toggle the 'Check for publisher's certificate revocation' setting in IE which seems to force the browser to get the new CRL
We have tried to think of as many failure scenarios as possible over the 12 years that we have operated but this is one that completely slipped by us. We now plan to buy two certificates from different CAs for our critical https web sites. Just in case something happens we can just switch to another certificate that was signed by a different CA. It is not like we used some unknown CA either. We used one of the top CAs out there that have been established for a very long time."