0X80090353

SEC_E_REVOCATION_OFFLINE_C (0X80090353) Smart Card Fix

Cybersecurity & Malware Intermediate 👁 1 views 📅 May 28, 2026

Your smart card certificate's revocation status can't be checked. The CRL distribution point is offline or unreachable. Here's how to fix it.

Quick answer: Disable certificate revocation checking for smart card auth via Group Policy or registry. Then restart the smart card service and re-insert the card.

What's happening here

You're trying to log in with a smart card—maybe on a domain-joined Windows 10 or 11 machine, or a Windows Server 2019/2022. Instead of getting in, you see SEC_E_REVOCATION_OFFLINE_C (0X80090353). The system can't reach the Certificate Revocation List (CRL) distribution point that's baked into your smart card certificate. This isn't necessarily a dead card. It's a network problem—or a policy problem.

The smart card certificate has a URL pointing to where the CRL lives. If that server is down, blocked by a firewall, or the machine can't resolve the DNS name, Windows refuses to trust the certificate. That's by design. But when the CRL server is temporarily unavailable (during a maintenance window, after a network outage, or because the CA server is getting pounded), you get locked out. The real fix is either to get that CRL point reachable, or—as a tactical workaround—tell Windows to skip the revocation check for smart card certs.

Fix steps

Step 1: Check if the CRL distribution point is reachable

Open a command prompt as Administrator. Type:

certutil -URL & yoursmartcardcert.cer

Replace yoursmartcardcert.cer with the actual certificate file from your card. If you don't have the cert exported, run certmgr.msc, find the smart card certificate under Personal > Certificates, right-click it, choose All Tasks > Export, and export it as DER-encoded (.cer).

After running certutil -URL, look for the line that says URL Retrieval Timeout or CRL URL. If it times out or shows 0x80092013, the CRL is offline. That's your root cause.

Step 2: Temporarily disable revocation checking (workaround)

This is the most common fix. You're telling Windows: for smart card authentication, don't bother checking revocation. Run gpedit.msc (Group Policy Editor) if you have Pro or Enterprise. If not, use the registry method.

Group Policy route:

  1. Press Win + R, type gpedit.msc, hit Enter.
  2. Go to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings.
  3. Find Turn off Automatic Root Certificates Update and set it to Enabled. Click Apply and OK.
  4. Now go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
  5. Double-click Certificate Path Validation Settings. Under the Revocation tab, check Define these policy settings.
  6. Under Revocation checking, select Do not check revocation. Click OK.
  7. In the same dialog, under the Network Retrieval tab, check Define these policy settings and select Do not allow certificate revocation list (CRL) retrieval. Click OK.

After applying, restart the Smart Card service: open Services.msc, find Smart Card, right-click and Restart. Then re-insert your smart card and try logging in.

Registry route (if no Group Policy):

Open Regedit as Administrator. Go to:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\Certificates\

If the Certificates key doesn't exist, create it. Under it, create a new DWORD (32-bit) called DisableCRLCheck and set its value to 1. Also create another DWORD called RevocationCheckFreshnessTime and set it to 0. Then restart the Smart Card service.

After these changes, you should be able to authenticate. If you still get the error, move to the alternative fixes.

Alternative fixes if the main one fails

Alternative 1: Clear the local CRL cache

Windows caches CRLs. If you've had a partial download, the cache might be corrupt. Run:

certutil -delstore CA *

This deletes all cached CRLs. Then force a new check by running:

certutil -urlcache CRL delete

Then restart the Smart Card service and try again.

Alternative 2: Manually download and install the CRL

If you know the CRL URL (from Step 1), open a browser and go to that URL. Download the .crl file. Then right-click it and choose Install CRL. This places it in the local machine store. Windows will use it instead of trying to fetch it online.

Alternative 3: Update the smart card driver

A bad driver can cause the certificate chain to be misread. Go to Device Manager, find Smart card readers, right-click your reader, choose Update driver, and let Windows search online. Reboot after.

Prevention tip

Don't leave revocation checking disabled permanently. That's a security hole. The real fix is to make sure your CRL distribution point is always reachable. If you control the CA, host the CRL on a redundant web server or a CDN. Set the CRL's Next Update period to something reasonable (24 hours is standard). For client machines, set a Group Policy that caches the CRL for longer—so even if the server blips during a login, the cached CRL is still valid. Under Certificate Path Validation Settings > Revocation, set the CRL retrieval timeout to 10 seconds, not the default 30. That way the system fails fast and falls back to cached data. Also, if you're using smart cards for VPN or remote desktop, make sure the CRL URL is reachable from outside your network—otherwise your road warriors will hit this error every time.

Was this solution helpful?

SEC_E_REVOCATION_OFFLINE_C 0X80090353 smart card authentication certificate revocation offline CRL check failed Windows smart card error revocation status unavailable certificate revocation list offline smart card login error 0x80090353 fix