TLS certificate validation - RevocationOffline
Hi,
I am setting up an Edge Transport server without using EdgeSync. I have successfully enabled TLS certificates on both internal Hub Transport Servers, and also on the Edge Transport server, using my Internal PKI. For the edge server, I have imported the Trusted
Root CA certificate chain from my PKI.
I can send email externally OK. However, when I receive email from the internet and the Edge relays to the Hub, I receive an error that the Edge transport cannot validate the certificate of the Hub, specifically the error is "RevocationOffline"
I have checked the certificates on all servers, and they have LDAP, HTTP and File "CRL Distribution Points" defined.
On the CA, I note that for the HTTP CDP, the option to "Publish CRLs to this location" is greyed out. However, the options for "Include in CRLs" and "Include in the CDP extension of issued certificates" is ticked. For file, everything except the last and second
option are ticked. For LDAP, all but the last option is ticked.
I have allowed confirmed access to the HTTP location and also the file location from the Edge server. However, I still recieve the error "RevocationOffline".
How come the option to Publish to HTTP CDP is greyed out, this is my next thought of where the problem lies.
Does anyone have any other ideas or solutions?
June 16th, 2012 3:30am
I have checked in pkiview.msc that both the CRL and Delta CRL CDP are OK.
I can browse to both HTTP locations from the Edge Transport server. However only the CRL location is located in the certificate, I assume this is used to find the delta HTTP URL.
when I download the CRL or Deltra CRL file, and look at the "Published CRL Locations" field I only see the LDAP URL, is this normal?
Any ideas, why the Edge server still cannot check the revocation status?
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2012 3:39am
When I export the cert of the Hub, copy it to the Edge and run
certutil -verify -urlfetch cert.cer
It says Failed "CDP" which is the LDAP path
It then says Verified "Base CRL (02)" which is the HTTP path
June 16th, 2012 6:58pm
In regards to publishing CRL to HTTP CDP, ADCS does not support publishing to HTTP CDP and you need to make sure the CRL files are copied to the designated web server/site.
The "Published CRL Location" path is not used during the validation and for delta CRL the "Freshest CRL" path is used to locate and download the delta. Make sure at least one CDP URL is reachable from the edge server and that the freshest CRL files are automatically published/copied
to that location.
Are you using any HTTP proxy to access web resources when logged in as a user?
/Hasain
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2012 4:28am
Thanks for the reply.
HTTP URL is accessible from Edge server. No proxy is being used, the Edge server is in DMZ and HTTP traffic is routed to the internal CRL.
Below is output of running certutil -verify -urlfetch on the Edge server - As you can see this command says it successfully verifies. All that I can think is that it is failing on the LDAP path's and for some reason is not trying the HTTP URLs
Are you able to see anything else wrong with the output?
C:\Users\Administrator>certutil -verify -urlfetch c:\exchange.cer
Issuer:
CN=SUBCA
DC=company
DC=net
DC=au
Subject:
CN=mail.company.net.au
OU=IT
O=company
L=Brisbane
S=QLD
C=AU
Cert Serial Number: 61f95c1e000000000008
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 8 Minutes, 18 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 8 Minutes, 18 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SUBCA, DC=company, DC=net, DC=au
NotBefore: 17/06/2012 5:38 PM
NotAfter: 17/06/2014 5:38 PM
Subject: CN=mail.company.net.au, OU=IT, O=company, L=Brisbane, S=QLD, C=AU
Serial: 61f95c1e000000000008
SubjectAltName: DNS Name=mail.company.net.au, DNS Name=autodiscover.company.net.
au, DNS Name=servername1.company.net.au, DNS Name=servername2.company.net.au
Template: WebServer
7b 68 57 a7 97 21 49 de a6 11 ff 7d 80 1a 37 2e b8 8d fa d0
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=SUBCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configurat
ion,DC=company,DC=net,DC=au?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/servername.company.net.au_SUBCA.
crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=SUBCA,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=company,DC=net,DC=au?certificateRevocationList?base?objectClas
s=cRLDistributionPoint
Verified "Base CRL (03)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/SUBCA.crl
Verified "Delta CRL (03)" Time: 0
[1.0.0] http://servername.company.net.au/CertEnroll/SUBCA+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (03)" Time: 0
[0.0] http://servername.company.net.au/CertEnroll/SUBCA+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 03:
Issuer: CN=SUBCA, DC=company, DC=net, DC=au
f2 00 a7 e8 f7 89 3c fa ad 47 42 1e 15 d9 8c a8 4d 87 29 40
Delta CRL 03:
Issuer: CN=SUBCA, DC=company, DC=net, DC=au
96 dc 5b 4b e3 f6 c5 3a 0e 46 96 2e 15 1d c9 e0 d6 4b 86 b9
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=company-ROOTCA
NotBefore: 17/06/2012 1:19 PM
NotAfter: 17/06/2022 1:29 PM
Subject: CN=SUBCA, DC=company, DC=net, DC=au
Serial: 122c101c000000000003
Template: SubCA
36 36 47 1f da 7e c4 bc 2e 51 fd 06 27 c7 38 93 49 b4 5c 31
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=company-ROOTCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Co
nfiguration,DC=company,DC=net,DC=au?cACertificate?base?objectClass=certificationA
uthority
Verified "Certificate (0)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/ROOTCA_company-ROOTCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=company-ROOTCA,CN=ROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Serv
ices,CN=Configuration,DC=company,DC=net,DC=au?certificateRevocationList?base?obje
ctClass=cRLDistributionPoint
Verified "Base CRL (05)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/company-ROOTCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 05:
Issuer: CN=company-ROOTCA
60 49 94 04 05 fe 8d bd 7b 5a dc 91 28 82 f0 87 20 f4 16 2f
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=company-ROOTCA
NotBefore: 29/12/2011 10:52 PM
NotAfter: 29/12/2031 11:02 PM
Subject: CN=company-ROOTCA
Serial: 494184a83f01338441f6f4e4af188328
6f 7f df 5c 97 05 35 46 4a d1 c5 1e a0 a7 08 d7 23 3f 13 0b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
05 80 ff 77 17 b0 e6 07 75 77 1e ec fe 86 03 37 69 ce cb bc
Full chain:
7a e3 77 48 e8 66 f4 03 2d a6 ee b0 26 0c 25 59 de 04 1f 8d
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
June 17th, 2012 5:07am
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
June 26th, 2012 10:33pm