Certificate Revocation Issue
I'm having some difficulty with certificate revocation lists. I'm getting the error "Revocation information for the security certificate for this site is not available."
I have updated the CRL distribution points and verified that I can access them. I have also modified IIS7 to allow plus signs. I tried updating the AIA distribution location as well.
Now, what I'm seeing is that when I manually open the crl, which works just fine, there are two attributes, Freshest CRL and Published CRL Location which both have LDAP paths. I believe these either need to be removed, or changed to http, but I don't
want to make things worse.
Any help here would be appreciated, thanks.
September 5th, 2011 5:37pm
You need to provide much much more detail.
Can you provide the output from certutil -verify -urlfetch <Certificate.crt>
against any certificate issued by an issuing CA. You can change the names to protect the innocent <G>.
This will allow us to provide you more information
Brian
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2011 9:53pm
Here is the output, masked. The end of the message is pretty clear, but I'm not sure what it's referring to. We actually have a root CA and subordinate CA that are both online.
Issuer:
CN=Company Intermediate CA
Subject:
CN=server.domain.com
Cert Serial Number: Serial#
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=Company Intermediate CA
NotBefore: 9/5/2011 2:24 PM
NotAfter: 9/2/2021 2:24 PM
Subject: CN=server.domain.com
Serial: Serial#
SubjectAltName: DNS Name=names ...
Template: Cert Template
thumbprint
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Expected Base CRL "Delta CRL (d4)" Time: 4
[0.0] http://crl.domain.com/CA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=DN
NotBefore: 2/12/2011 10:33 AM
NotAfter: 2/8/2026 10:33 AM
Subject: CN=Company Intermediate CA
Serial: Serial#
Template: Template
Thumbprint
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] ldap:///DN
Wrong Issuer "Certificate (1)" Time: 0
[0.1] ldap:///DN
Wrong Issuer "Certificate (2)" Time: 0
[0.2] ldap:///DN
Wrong Issuer "Certificate (3)" Time: 0
[0.3] ldap:///DN
Wrong Issuer "Certificate (4)" Time: 0
[0.4] ldap:///DN
Wrong Issuer "Certificate (5)" Time: 0
[0.5] ldap:///DN
Wrong Issuer "Certificate (6)" Time: 0
[0.6] ldap:///DN
Wrong Issuer "Certificate (7)" Time: 0
[0.7] ldap:///DN
Verified "Certificate (8)" Time: 0
[0.8] ldap:///DN
Verified "Certificate (9)" Time: 0
[0.9] ldap:///DN
---------------- Certificate CDP ----------------
Verified "Base CRL (01a8)" Time: 0
[0.0] ldap:///DN
Verified "Delta CRL (01a8)" Time: 0
[0.0.0] ldap:///DN
---------------- Base CRL CDP ----------------
OK "Delta CRL (01a9)" Time: 0
[0.0] ldap:///DN
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 01a8:
Issuer: DN
Serial#
Delta CRL 01a9:
Issuer: DN
Serial #
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: DN
NotBefore: 2/4/2011 3:37 PM
NotAfter: 2/10/2031 7:18 PM
Subject: DN
Serial: Seiral#
Template: Template
Serial#
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
Serial#
Full chain:
Serial#
Issuer: CN=Company Intermediate CA
NotBefore: 9/5/2011 2:24 PM
NotAfter: 9/2/2021 2:24 PM
Subject: CN=server.domain.com
Serial: Serial#
SubjectAltName: DNS Names
Template: Template
Serial#
The revocation function was unable to check revocation because the revocation se
rver was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
September 5th, 2011 11:31pm
You may have masked too much information, but here is a start:
It looks like the HTTP URL for the following is pointing to a delta CRL object, not to a base CRL object:
---------------- Certificate CDP ----------------
Expected Base CRL "Delta CRL (d4)" Time: 4
[0.0] http://crl.domain.com/CA.crl
This is for your root CA (looking at the chain). Since it is broken, all subordinate CA certificate and leaf certificates will validate as invalid because a revocation decision cannot be built.
1) Under best practices, the root CA would be offline and only publishing base CRLs
2) For the issuing CA, your naming for the base CRL and delta CRL for the HTTP URL should use the form %3%8%9.crl. It looks like your naming may be hardcoded as CA.crl or is not using the %8%9 variables (causing the same name to be applied for base and delta
CRLs)
HTH,
Brian
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 12:22am
It's not, it's pointing to the base CRL object.
September 6th, 2011 11:09am
Maybe this is a stupid question, but I am new to CAs, but do I NEED to have an OSCP server somewhere in my network, or is that optional?
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 11:10am
OCSP is optional.
You missed my point. Look at the output. It appears that you may have both the base crl and the delta CRL pointing to the same URL without the delta CRL indicator configured correctly. Essentially, the delta CRL is overwriting the base CRL.
Make sure that the URL contains %3%8%9.crl for the file name or CA%8%9.crl not CA.crl
Brian
September 6th, 2011 11:33am
Also, is there cleanup I can do to get rid of all of the "Wrong Issuers?"
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 12:06pm
Ok, I'll give that a shot. What's the best way to test if revocation is working? The same command as above?
September 6th, 2011 12:06pm
Yes same command as above for testing. For the wrong issuers, you have removed to much data for me to even give you an answer. My assumption is that you renewed ... a lot... on the sub CA and it is finding lots of CA certificates. You cannot easily remove
them as there may be certs that chain to various subCA certs
Brian
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 12:15pm
You would be correct :) I renewed several times tryign to resolve the validity period. All of the wrong issuers point to LDAP paths, but I can't find them. The certs have been removed form the CAs.
September 6th, 2011 12:49pm
And thank you, your suggestion above fixed the revocation issue! I was pointing to a hard URL, without the %8 and %9.
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 12:50pm