Gents,I'm a bit confused. I would like to check the certificate status.I run the following command:certutil -verify -urlfetch test.cerI see a lot of output. Where is status ? How to undertstand, was this certificate revoked ?Was it included in CRL ?Another tool: certutil -url test.cerWhat is it checking ?Does it check the URLs from certificate ? If there is no OCSP url in certificate, can I check this certificate by OCSP ? Will it be checked ?What does mean each status ?Can you please direct me to manuals ? I re-read a lot of Microsoft articles and don't see details ;(Thanks

certutil shows revoked status in the top of chain status output. For example:-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)ChainContext.dwRevocationFreshnessTime: 1 Months, 13 Hours, 34 Minutes, 14 Secondsand after all certificates are verified. For example:Full chain: *************** Issuer: CN=***** NotBefore: 17.02.2010. 9:36 NotAfter: 17.02.2011. 9:36 Subject: CN=***** Serial: 01 SubjectAltName: Other Name:Principal Name=****** Template: Administrator ***************The certificate is revoked. 0x80092010 (-2146885616)afaik, certutil -url for CDP extensions just return if files can be retrieved and don't check for file revocation. This is applicable for OCSP urls only. http://www.sysadmins.lv

Ok, I was confused by the following test.I try to verify the revoked certificate. I issued the bad certificate for OCSP and revoked it.C:\temp\Cert>certutil -urlfetch -verify test.cerIssuer: CN=***** Subordinate CA DC=***** DC=**Subject: CN=MSK-HQ-CA2.*****.**Cert Serial Number: 6122da8b000000000005 dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)HCCE_LOCAL_MACHINECERT_CHAIN_POLICY_BASE-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)ChainContext.dwRevocationFreshnessTime: 6 Days, 17 Hours, 50 Minutes, 52 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)SimpleChain.dwRevocationFreshnessTime: 6 Days, 17 Hours, 50 Minutes, 52 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40 Issuer: CN=***** Subordinate CA, DC=*****, DC=** Subject: CN=MSK-HQ-CA2.*****.** Serial: 6122da8b000000000005 Template: OCSP Response Signing b2 d2 fb 0e f0 cf c8 f4 cc 18 79 31 76 b1 88 06 bf dc 2d 8e Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.9 CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=***** Root CA, DC=*****, DC=** Subject: CN=***** Subordinate CA, DC=*****, DC=** Serial: 11226251000000000002 Template: SubCA 52 19 34 eb d3 9d 02 39 6e 54 e2 0f ea 75 01 c4 ea c1 b8 2c Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No CRL "Certificate (0)" Time: 0 [0.0] ldap:///CN=*****%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=*****,DC=**?cACertificate?base?objectClass=certificationAuthority No CRL "Certificate (0)" Time: 0 [1.0] http://pki.*****.**/pki/msk-hq-ca1.*****.**_*****%20Root%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (2)" Time: 0 [0.0] ldap:///CN=*****%20Root%20CA,CN=msk-hq-ca1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=*****,DC=**?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (2)" Time: 0 [1.0] http://pki.*****.**/pki/*****%20Root%20CA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 2: Issuer: CN=***** Root CA, DC=*****, DC=** e3 d2 7b ba 10 18 58 01 2b a3 47 55 94 ab 59 da 5b ec 2c a6 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=***** Root CA, DC=*****, DC=** Subject: CN=***** Root CA, DC=*****, DC=** Serial: 11b7c4035d82b089408a4cd69462e03a b0 2b 88 66 56 fe 4d 68 4c 41 ca 8e 48 eb 87 9a 59 02 9b 63 Element.dwInfoStatus = CERT_T**ST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_T**ST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_T**ST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: cb c4 b0 8d a0 69 5e 5a 7f ef d1 a1 fd fe 4a e8 a8 d7 b6 4aFull chain: 65 42 2a f2 ec 51 d4 17 03 ad bd 6b 89 81 29 92 22 80 0b 55 Issuer: CN=***** Subordinate CA, DC=*****, DC=** Subject: CN=MSK-HQ-CA2.*****.** Serial: 6122da8b000000000005 Template: OCSP Response Signing b2 d2 fb 0e f0 cf c8 f4 cc 18 79 31 76 b1 88 06 bf dc 2d 8eThe revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)------------------------------------Revocation check skipped -- no revocation information availableCannot check leaf certificate revocation statusCertUtil: -verify command completed successfully.This certificate doesn't have CDP/AIA extensions. Why doesn't certutil check CRL of Subordinate CA ?Subordinate CA certificate is installed in Intermediate CA at local store.If certificate has CDP extension, it will be sucessfully verified. If doesn't have ?How to check OCSP ?Is there any util, that can check certificate status via OCSP url ?I would like to check good/revoked certificate via OCSP.I see error under 'Enterprise PKI' in mmc-snapin. OCSP Location has error (red cross).I checked Online Responder snap-in -- all settings are ok, no any errors. OCSP certificate status is ok.Thanks,

to check OCSP you need to include OCSP extension to a certificate. Also note that pre-Vista systems don't support OCSP client. You also can check OCSP through certutil graphical utility: 'certutil -url path\file.cer'http://www.sysadmins.lv

Wow! Checked ok/revoked certificates via OCSP -- it's working.But verify those via CRLs button -- I see only Verified status. Why ?As I can see, CRL is included the revoked serial. I restarted IIS, it doen't help. WTF ?

> But verify those via CRLs button -- I see only Verified status. Why ?it just checks if CRL is downloadable and is valid and don't perform revocation checking http://www.sysadmins.lv