Точки распределения сертификата RDP

Either:

1. The client doesn't have the CA Root cert installed on their computer, in the Trust Root Certs folder.
2. The CRL URL in the Certificate can't be resolved by the client, or returns an outdated CRL.

By default MS CAs are configured to publish CRLs only to AD, which is not accessible from the outside world. MSTSC 6.0+ will return this error if they can't get the CRL and a URL is specified.