TC TrustCenter will not generate any new certificates but it is likely that there are still existing certificates they have signed in the past in use. The root certificates have not yet expired but are still working and are still part of the certificate store of major browsers. If we drop support for those CAs we might affect some users who may lose access to websites they require, so removing the CA (unless expired) is not easy. Usually we wait until major browsers drop support for CAs which means all websites using those certificates become unusable for users without MWG - then we are safe to remove them too.
I have tried to access the CRL URLs of the certificates we have in the store and the links are still up and working fine. The only CRL we fetch from www.trustcenter.de (as mentioned in the error message you see) is the following:
I can access the link and download the CRL without a problem:
--2015-03-16 12:11:26-- http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Resolving www.trustcenter.de (www.trustcenter.de)... 184.108.40.206
Connecting to www.trustcenter.de (www.trustcenter.de)|220.127.116.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 925 [application/x-pkcs7-crl]
Saving to: `tc_class_3_ca_II.crl'
100%[=========================================================================== =======================>] 925 --.-K/s in 0s
2015-03-16 12:11:26 (57.6 MB/s) - `tc_class_3_ca_II.crl' saved [925/925]
So all should be good with the link. You should not see those error messages as the server is still alive. Probably we need to look and find out why you cannot fetch the CRLs.
you're right, I can download the CRLs through the Web Gateway but not FROM the Web Gateways. So this must be an error at our firewalls.
sorry for the late answer. I did manage to fix the issue at the customer, but I can't exactly remember how... IIRC the issue was because of a very old (or edited) "copy" of the McAfee maintained list, which overruled the original.