I prefer taking notes when I encounter issues and also remembering everything is getting harder.

While accessing half of the internal sites in Edge, users were encountering the following error: Your connection isn’t private. Attackers might be trying to steal your information from <site URL> (for example, passwords, messages, or credit card). NET:ERR_CERT_UNABLE_To_CHECK_REVOCATION Refreshed advanced

I verified that the certificates were not expired and the sites were accessible in Chrome and Firefox with no issues. Now, all the browsers are STIG’ed as per the SCG. I started looking at group policy settings for the Edge browser and two settings stood out relating to online OSCP/CRL checks :
1. “Soft Fail” (Enable online OCSP/CRL checks GPO Setting) – if enabled even if revocation server cannot reached, the certificate will still be considered valid.
2. ” Hard Fail” (Specify if online OCSP/CRL checks are required for local trust anchors ) – if Edge can’t get revocation status information, the certificates are treated as revoked and sites will encounter an error.

I disabled Edge GPO settings “Specify if online OCSP/CRL checks are required for local trust anchors ” (“hard fail”) and I was able to access the sites that were encountering the issue. This lead to investigate why it was not able to reach the revocation/CRL server. Certificates that were having the issue were referring to the wrong / old CRL Distribution point/server. This happened I believe because I migrated Windows Server 2012 R2 CA server to a new Windows Server 2019.

I also used the following certutil command to investigate for the expired CRLs

certutil -split -URL URL=ldap:///CN=DC1-CA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
It should bring up the gui. Check CRLs(from CDP) and choose Retrieve. Both the Base CRL and Delta CRL appeared expired.

Solution: Request and install a new certificate from the CA