Certificate Revoked WES 7 SP1
When attempting to connect to an RDS gateway from a machine that is
not on the domain I receive the error "A revocation check could not be performed for the certificate". We're using an internal CA for the certificates in the RDS farm and the CRL lookup works fine for machines on the domain. When attempting to access
http://servername/certenroll/certname.crl from the non-domain machine I can access it no worries.
Note: The non-domain machine is running Win7 Embedded and the CA has been added to the Trusted Root Authority (Computer).
When attempting a "certutil -urlfetch -verify certname.cer" on the certificate in question I receive the following:
C:\Users\Administrator\Desktop>certutil -urlfetch -verify test.cer
Issuer:
CN=servername
DC=domain
DC=com
DC=au
Subject:
E=administrator@domain.com.au
CN=myserver.domain.com.au
OU=<omitted>
O=<omitted>
L=<omitted>
S=<omitted>
C=<omitted>
Cert Serial Number: 1b6680e6000100000489
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 20 Hours, 1 Minutes, 57 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 20 Hours, 1 Minutes, 57 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=servername, DC=domain, DC=com, DC=au
NotBefore: 12/15/2010 11:47 PM
NotAfter: 12/15/2011 11:47 PM
Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted>
Serial: 1b6680e6000100000489
SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au
Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057
5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55)
ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55)
ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (0190)" Time: 0
[1.0]
http://servername.domain.com.au/CertEnroll/servername.crl
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55)
[1.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file://servername.domain.com.au/CertEnroll/servername.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55)
ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0190:
Issuer: CN=servername, DC=domain, DC=com, DC=au
9b a4 6c 0d ce 27 fe fc a8 e1 6e 94 3e b5 3f c5 5f 06 ce 1c
Application[0] = 1.3.6.1.5.5.7.3.1 Server AuthenticationCertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=servername, DC=domain, DC=com, DC=au
NotBefore: 3/15/2010 12:08 AM
NotAfter: 12/12/2015 10:30 PM
Subject: CN=servername, DC=domain, DC=com, DC=au
Serial: 48e9cd0e5203d29947c6b6c9640e9bc0
Template: CA
bd 03 7c e9 94 78 e2 e2 5b f0 5c f3 02 71 a1 00 78 bc 23 b7
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
5e 12 f5 da ff 73 e1 1d 6e 33 b0 0f b3 ab 9d 0d de 4d 7f 00
Full chain:
a5 0c 5b 60 83 94 a9 4b 13 18 ce e1 ac c0 d1 1e 02 13 af 76
Issuer: CN=servername, DC=domain, DC=com, DC=au
NotBefore: 12/15/2010 11:47 PM
NotAfter: 12/15/2011 11:47 PM
Subject: E=administrator@domain.com.au, CN=myserver.domain.com.au, OU=<omitted>, O=<omitted>, L=<omitted>, S=<omitted>, C=<omitted>
Serial: 1b6680e6000100000489
SubjectAltName: DNS Name=myserver.domain.com.au, DNS Name=pv-rdsh01.domain.com.au, DNS Name=pv-rdsh02.domain.com.au
Template: 1.3.6.1.4.1.311.21.8.4686447.12051196.15746696.15974447.10885270.2.7507585.10766057
5d b5 ec 7a ca 42 18 09 65 7a d2 d5 90 16 51 73 d0 13 25 16
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
C:\Users\Administrator\Desktop>
The problem is, when I check "Include in CRLs", all domain machines stop trusting the CA.
I believe this is due to the following GPO setting:
Te perform ceritificate-based authentication of users and computers, CAs must meet the following criteria - Registered in Active Directory only.
When looking in the actual GPO itself, it appears there's no options configured and instead only an import option for a certificate. Should I just import the CAs certificate in to the GPO?
If I join the domain it will work for 10 days and then receive the error.
Please adviseDebbie Baldassini
May 13th, 2011 1:47am
On Thu, 12 May 2011 22:47:00 +0000, Debbie Baldassini wrote:
? ----------------? Certificate AIA? ---------------- ? Failed "AIA" Time: 0
??? Error retrieving URL: The specified network resource or device is no longeravailable. 0x80070037 (WIN32: 55)
??? ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com,DC=au?cACertificate?base?objectClass=certificationAuthority
This is your problem. You've only setup an LDAP URL for the AIA location
and you're non domain joined clients are not allowed access to Active
Directory to retrieve any required intermediate certificates in the chain.
Since they can't retrieve the intermediate certs, they can't check those
certs for revocation and you get the kind of misleading error message that
the revocation server is offline.
You're going to need to add an HTTP location for AIA publishing, then
renew/reissue all certs below the root CA.
While you're fixing this error, you should also make the HTTP locations for
both the CRLs and AIA publishing points first in order, and you should
remove the file:// URL as that is not a supported protocol for either AIA
or CRL retrieval.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
People who deal with bits should expect to get bitten. -- Jon Bentley
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 6:23pm