OCSP Error - PKIView checks seem ok
Hi All,
So another post about the pesky error displayed next to the OCSP responder & already tried
http://social.technet.microsoft.com/Forums/nl/winserversecurity/thread/d6e871e0-3687-4cb5-9591-c1459911f433 withand a few of the other links with no joy.
Hopefully somebody could help with some clues - heres some additional details which I really hope helps the brains here:
Windows 2008 R2 CA with OCSP responder on the same box (I know there could be an issue with DR but this no alternatives). Configured the Issuing CA with LoadDefaultTemplates=0 following a suggestion from Brian K on another related link to the ocsp
problem to ensure no invalid certs were issued
My AIA & CDP points are configured: note* Ive dropped some carriage returns in here to make the points easier to read
CDP
certutil -setreg CA\CRLPublicationURLs "
65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\
n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\
n6:http://%%1/certificates/%%3%%8%%9.crl\
n6:http://pki.dpp/certificates/%%3%%8%%9.crl\n"
AIA
certutil -setreg CA\CACertPublicationURLs "
1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\
n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\
n6:http:// %%1/CertEnroll /%%1_%%3%%4.crt\
n6:http://pki.dpp/certificates/%%1_%%3%%4.crt\
n32:http://pki.dpp/ocsp\n"
This was ran prior to the CA being brought On-Line again to ensure the exchange cert had the correct points
PKIView all points are verified as OK except the OCSP
which just displays Error
Revoked the CA Exchange certificate still shows error, rebooted: showing error, certutil urlcach * delete: showing error
Configured my OCSP Responder & Template as per Brian Ks Book & link
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx OCSP responder is working (green tick in responder config)
Revoked
the CA Exchange certificate STILL showing errors :(
Generated a cert and did certutil verify ulrfetch cert.cer as per suggestions in other posts hopefully somebody could suggest something as I cannot see any obvious errors
OCSP issue, Response
Issuer:
CN=PPEIssuecalV2
DC=Test
DC=dpp
Subject:
CN=PPEIssueCA.test.dpp
OU=XX
O=xx
L=xxxxxxx
S=xx
C=GB
Cert Serial Number: XXXXX
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0X20000000)
dwFlags= CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
----------------- CERT_CHAIN_CONTEXT --------------------------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 22 hours 21 Mins, 27 seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 22 hours 21 Mins, 27 seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=PPEISSUECALV2,DC=Test,DC=dpp
NotBefore: 10/05/2012 08:00
NotAfter: 10/05/2012 08:00
Subject: CN=PPEISSUECA.TEST.DPP,OU=XX, O=XX, L=xxx, L=Milton Keynes, S=xx C=GB
Template: WebSSL
Element. dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element. dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
-------------------- Certificate AIA --------------------------------
Verified Certificate (0) Time: 0
[0.0] ldap:///CN=PPEISSUECALV2,CN=AIA,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?cACertificate?base?objectClass=certificationAuthority
Verified Certificate (0) Time: 32
[1.0] http://PPEIssueCA.test.DPP/certificates/PPEISSUECA.TEST.DPP_PPEISSUECALV2.CRT
Verified Certificate (0) Time: 32
[2.0] http://pki.DPP/certificates/PPEISSUECA.TEST.DPP_PPEISSUECALV2.CRT
-------------------- Certificate CDP --------------------------------
Verified Base CRL (02) Time: 0
[0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?certificateRevocationList?base?objectClass=CRLDistrobutionPoint
Verified Delta CRL (02) Time: 0
[0.0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint
Verified Delta CRL (02) Time: 32
[0.0.1] http://PPEIssueCA.test.DPP/Certificates/PPEIssueCALV2+.crl
Verified Delta CRL (02) Time: 32
[0.0.2] http://pki.DPP/Certificates/PPEIssueCALV2+.crl
Verified Base CRL (02) Time: 32
[1.0] http://PPEIssueCA.test.DPP/Certificates/PPEIssueCALV2.crl
Verified Delta CRL (02) Time: 0
[1.0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint
Verified Delta CRL (02) Time: 32
[1.0.1] http://PPEIssueCA.test.DPP/Certificates/PPEIssueCALV2+.crl
Verified Delta CRL (02) Time: 32
[1.0.1] http://pki.DPP/Certificates/PPEIssueCALV2+.crl
Verified Base CRL (02) Time: 32
[2.0] http://pki.DPP/Certificates/PPEIssueCALV2.crl
Verified Delta CRL (02) Time: 0
[2.0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint
Verified Delta CRL (02) Time: 32
[2.0.1] http:// PPEIssueCA.test.DPP /Certificates/PPEIssueCALV2+.crl
Verified Base CRL (02) Time: 32
[2.0.2] http://pki.DPP/Certificates/PPEIssueCALV2+.crl
----------------- Base CRL CDP -----------------------------
Ok Delta CRL (03) Time: 0
[0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint
Ok Delta CRL (03) Time: 32
[2.0.1] http:// PPEIssueCA.test.DPP Certificates/PPEIssueCALV2+.crl
Delta CRL (02) Time: 32
[2.0.1] http://pki.DPP/Certificates/PPEIssueCALV2+.crl
---------------------- Certificate OCSP -----------------------
Verified OCSP Time: 32
[0.0] http://pki.DPP/ocsp
---------------------------------------------------------------------
CRL 02:
ISSUER: CN=PPEISSUECALV2, DC=TEST,DC=DPP
Delta CRL 03:
ISSUER: CN=PPEISSUECALV2, DC=TEST,DC=DPP
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]:dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=PPERootV2, DC=DPP
NotBefore: 09/05/2012 11:00
NotAfter: 09/05/2012 11:00
Subject: CN=PPEISSUECALV2, DC=TEST, DC=DPP
Serial: xxxxxx
Template SubCA
Element. dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element. dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
-------------------- Certificate AIA ---------------------
Verified Certificate (0) Time: 32
[2.0] http://pki.DPP/certificates/PPRootCAV2.CRT
-------------------- Certificate CDP ---------------------
Verified Certificate (0) Time: 32
[2.0] http://pki.DPP/certificates/PPRootCAV2.CRL
-------------------- Base CRL CDP ---------------------
NO URLS None Time: 0
-------------------- Certificate OCSP ---------------------
NO URLS None Time: 0
-----------------------------------------------------------------
CRL 02:
Issuer: CN=PPERootCAV2, DC=DPP
f0 ee fb 94 9e 9b e6 1c 31 3c d9 40 a6 fc 02 5b 8e 19 83 ee
CertContext[0][1]:dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=PPERootV2, DC=DPP
NotBefore: 09/05/2012 09:45
NotAfter: 09/05/2012 09:45
Subject: CN=PPERootCAV2, DC=DPP
Serial: xxxxxx
Element. dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (04x)
Element. dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element. dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
-------------------- Certificate AIA ---------------------
NO URLS None Time: 0
-------------------- Certificate CDP ---------------------
NO URLS None Time: 0
-------------------- Certificate OCSP ---------------------
NO URLS None Time: 0
---------------------------------------------------
Exclude Leaf cert:
42 18 e5 a4 fb 76 af ac c1 06 e8 09 5a 0f 9b c0 28 bb 5c
Full chain:
75 c9 4c 10 12 f4 ba d3 db b6 a9 ba 45 fd 11 f9 3a 52 e5 b4
---------------------------------------------------
Verified Issuance Polices: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
May 10th, 2012 3:53pm
Hi All,
So another post about the pesky error displayed next to the OCSP responder & already tried
http://social.technet.microsoft.com/Forums/nl/winserversecurity/thread/d6e871e0-3687-4cb5-9591-c1459911f433 withand a few of the other links with no joy.
Hopefully somebody could help with som
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 3:55pm
Hi All,
So another post about the pesky error displayed next to the OCSP responder & already tried
http://social.technet.microsoft.com/Forums/nl/winserversecurity/thread/d6e871e0-3687-4cb5-9591-c1459911f433 withand a few of the other links with no joy.
Hopefully somebody could help with some clues - heres some additional details which I really hope helps the brains here:
Windows 2008 R2 CA with OCSP responder on the same box (I know there could be an issue with DR but this no alternatives). Configured the Issuing CA with LoadDefaultTemplates=0 following a suggestion from Brian K on another related link to the ocsp
problem to ensure no invalid certs were issued
My AIA & CDP points are configured: note* Ive dropped some carriage returns in here to make the points easier to read
CDP
<span style="font-size:10.0pt;line-height:115%;font-family:'Ta
May 10th, 2012 3:55pm
OCSP is working fine
---------------------- Certificate OCSP -----------------------
Verified OCSP Time: 32
[0.0] http://pki.DPP/ocsp
---------------------------------------------------------------------
To confirm, run certutil -url caexchange.cer
Then click the AIA, CDP, and OCSP options and click retrieve.
This will send an actual OCSP request for the certificate and determine if it receives a response.
To be brutally honest, I never trust the status in PKIView.msc if it says Error. THis is the *only* command I trust
Brian
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 4:15pm
I'll run the test 7:30 am UK. Once I've exported the xchange cert and ran the test I'll let you know what the reponse is :) - and again as always Brian thanks a million for a rapid reply.
I "assume" if it all comes back as ok then its a matter of ignoring the pkiview, if not then work through the issues.
May 10th, 2012 5:22pm
update:08:00
Ran PKIView - all points validate except OCSP as before
Exported Exchange cert ran certutil -verify -urlfetch exchange.cer - all validate / no errors reported
Ran certutil -url exchange.cer LDAP points Verify ok
All http points fail
with error retrieving URL: This operation returned because the timeout period expired. 08x00705b4 (Win32: 1460)
very carefully copying the URL displayed on the report (missing out the [] ) opened up a web browser and the CRT, CRL and + CRL all pop up, Copied them from PKIView, paste in browser and again they appear no problem - confirming I can retrieve
all from the browser done manually, the web site is set to anonymous authentication
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 3:48am
14/05/12 update
Changed the timeout from 15 seconds in certutil -url to 60 seconds.
at 32 seconds all HTTP points come back as verified including OCSP and I can download the crt & CRL!!!
So some follow up questions:
in PKIView I "assume" its showing the red x still because its hitting a timeout before it reaches 32 seconds? if the time is reduced to say 20 seconds would pkiView come back with Valid?
With regards to 32 seconds for returning the points. Certutil -url was run locally to the box, granted the points were FQDN so its going to the network... How can I reduce the time down from 32 seconds to something realistic? 32 seconds to go get a URL with
zip in it seems a loooong time - I'm aware that 31 seconds will be it contacting the HTTP server, doing "stuff" and then 1 second to download the crt & CRL.
So what can be done to reduce the 31 other seconds???
if I manually type the URL in the browser it reply's in a second or so seconds ... don't know if that's helpful
help / pointers greatly appreciated
May 14th, 2012 1:59pm