The signature of the certificate can not be verified. Win 2008 CA
Network details:
Two domain: domain.ad and child.domain.ad. Two tier CA hierarchy Root CA: SERVERCAROT1, Wind 2008 Ent, Standalone Issuing CA: SERVERCAISU1, Wind 2008 Ent, Domain member (child.domain.ad) CA install settings: CSP - Microsoft strong CSP, hash- SHA1 Post install script on Issuing CA: .......................................... certutil -setreg CA\DSConfigDN CN=Configuration,DC=domain,DC=ad
certutil -setreg CA\CRLPeriodUnits 3
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 4
certutil -setreg CA\CRLOverlapPeriod "Hours"
certutil -setreg CA\CRLDeltaPeriodUnits 12
certutil -setreg CA\CRLDeltaPeriod "Hours"
certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://cert.CHILD.domain.ad/CertEnroll/%3%8%9.crl\n6:http://%1/CertEnroll/%3%8%9.crl"
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%1_%3%4.crt\n3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://cert.CHILD.domain.ad/CertEnroll/%1_%3%4.crt\n2:http://%1/CertEnroll/%1_%3%4.crt"
certutil -setreg CA\AuditFilter 127
Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1
certutil -setreg CA\ValidityPeriodUnits 2
certutil -setreg CA\ValidityPeriod "Years"
net stop certsvc & net start certsvc
certutil –crl ............................. Copied template (RAS & IAS) and created new template with name DOMAIN Server authentication.
On new template gave READ and ENROLL permissions to CHILD\Authenticated users and CHILD\Domain computers.
Copied all ROOT/Issuing CA cert and CRLs under
http://cert.CHILD.domain.ad/CertEnroll. Checked via PKIVIEW at Issuing CA, every thing was okay. Issued a Server authentication certifiacte to SERVERVPN002 (Windows 2003). When installed the cert on the server, server shows errors: ....
The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.
The signature of the certificate cannot be verified.
.......
The server has certifiacte of root CA in trusted root CA store (already published into AD, certutil -dspublish)
The server can validate the certifcate of root ca and issuing ca but cannot validate its cert.
When same certifiacte is checked on 2008 server or Win7, that can validate the cert.
Already checked KB938397 but I think I am not suing SHA2 any where. Even the CSP is Microsoft strong CSP which was supported in 2003.
I checkied from SERVERVPN002, I can access the CDP and AIA paths, I can download CA cert and CRL.
Here is the output of certutil -urlfetch -verify
........
Issuer:
CN=DOMAIN Issuing CA
DC=CHILD
DC=DOMAIN
DC=ad
Subject:
E=MAILID@na.DOMAIN.com
CN=SERVERVPN002.CHILD.DOMAIN.ad
OU=SALES
O=DOMAIN Technologies
L=Milton
S=GA
C=US
Cert Serial Number: 142661aa000000000004
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000048
Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
Subject: E=MAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US
Serial: 142661aa000000000004
Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548
2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (0)" Time: 18
[1.0]
http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt
Wrong Issuer "Certificate (0)" Time: 4
[2.0]
http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt
---------------- Certificate CDP ----------------
Wrong Issuer "Base CRL (6)" Time: 0
[0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint
Wrong Issuer "Delta CRL (6)" Time: 0
[0.0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint
Wrong Issuer "Delta CRL (6)" Time: 4
[0.0.1]
http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl
Wrong Issuer "Delta CRL (6)" Time: 18
[0.0.2]
http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl
Wrong Issuer "Base CRL (6)" Time: 4
[1.0]
http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl
Wrong Issuer "Delta CRL (6)" Time: 0
[1.0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint
Wrong Issuer "Delta CRL (6)" Time: 4
[1.0.1]
http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl
Wrong Issuer "Delta CRL (6)" Time: 4
[1.0.2]
http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl
Wrong Issuer "Base CRL (6)" Time: 18
[2.0]
http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl
Wrong Issuer "Delta CRL (6)" Time: 0
[2.0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint
Wrong Issuer "Delta CRL (6)" Time: 4
[2.0.1]
http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl
Wrong Issuer "Delta CRL (6)" Time: 4
[2.0.2]
http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
Subject: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
Serial: 13ea9a52000000000002
Template: SubCA
a5 3f f1 4b 80 f9 b1 c1 e1 f8 02 6b c7 de 08 e3 f0 c6 57 06
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No CRL "Certificate (0)" Time: 0
[0.0] ldap:///CN=DOMAIN%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=AD?cACertificate?base?objectClass=certificationAuthority
No CRL "Certificate (0)" Time: 18
[1.0]
http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAROT1_DOMAIN%20Root%20CA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (5)" Time: 4
[0.0]
http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Root%20CA.crl
Verified "Base CRL (5)" Time: 0
[1.0] ldap:///CN=DOMAIN%20Root%20CA,CN=SERVERCAROT1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=AD?certificateRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 5:
Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
d3 c4 34 40 e9 e7 ac 92 41 73 df e7 90 4e f3 85 59 5f 01 5a
Issuance[0] = 1.3.6.1.4.1.311.21.8.2.840.113556.1.8000.1.402
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
Subject: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
Serial: 5cd703e9a488d8aa463b9999976fd21a
ea c2 7f 95 36 ea cb dd c8 b1 f3 a6 c2 68 ac b7 16 15 11 7b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
c5 1d dd df 88 7f fa c2 79 a7 8f 6c 6e 3d 59 68 b4 9e 95 9a
Full chain:
e0 d6 a8 73 bb fe 26 7c 81 c2 98 e6 39 dd 93 66 e7 01 f5 eb
Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
Subject: E=MAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US
Serial: 142661aa000000000004
Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548
2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41
The signature of the certificate can not be verified. 0x80096004 (-2146869244)
------------------------------------
CertUtil: -verify command FAILED: 0x80096004 (-2146869244)
CertUtil: The signature of the certificate can not be verified.
.............................
I checked all the HTTP and LDAP paths shown after Wrong Issuer, all are accessible.
Please suggest.
.Manoj
September 14th, 2011 11:12am
Used PKIVIEW.msc on a windows 2003 server, everything was okay. just Delta CRLs were showing as expiring.Manoj
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 11:25am
How did you issue and install the certificate? How does the certificate behave when looking at it on the CA, if you simply verify the cert and dump its content using certutil on the CA server?
/Hasain
September 14th, 2011 1:01pm
this setting causes this issue: Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1
you must disable alternate signature algorithms and re-issue end certificate.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 1:59pm
Issued the certificate via Web (http://server/CertSrv). Saved that in pb7 and installed on the server via certificate mmc. Certificate is looking good on the CA server.
Output of CERTUTIL - VERIFY at Issuing CA ............................................ Issuer:
CN=DOMAIN Issuing CA
DC=CHILD
DC=DOMAIN
DC=ad
Subject:
E=EMAILID@na.DOMAIN.com
CN=SERVERVPN002.CHILD.DOMAIN.ad
OU=SALES
O=DOMAIN Technologies
L=Milton
S=GA
C=US
Cert Serial Number: 142661aa000000000004
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 5 Days, 1 Hours, 9 Minutes, 20 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 1 Hours, 9 Minutes, 20 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
NotBefore: 9/9/2011 2:26 PM
NotAfter: 9/8/2013 2:26 PM
Subject: E=EMAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US
Serial: 142661aa000000000004
Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548
2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 6:
Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
b7 47 1c f9 eb ee e0 4d 5d cb 75 04 e8 92 51 33 15 2a b8 29
Delta CRL 10:
Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
f4 aa 42 4a 05 1d 3e 35 c5 9f 49 0b 77 c9 19 ea d7 99 7f e7
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
NotBefore: 9/9/2011 1:20 PM
NotAfter: 9/9/2021 1:30 PM
Subject: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
Serial: 13ea9a52000000000002
Template: SubCA
a5 3f f1 4b 80 f9 b1 c1 e1 f8 02 6b c7 de 08 e3 f0 c6 57 06
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 5:
Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
d3 c4 34 40 e9 e7 ac 92 41 73 df e7 90 4e f3 85 59 5f 01 5a
Issuance[0] = 1.3.6.1.4.1.311.21.8.2.840.113556.1.8000.1.402
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
NotBefore: 9/8/2011 7:27 PM
NotAfter: 9/8/2031 7:37 PM
Subject: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
Serial: 5cd703e9a488d8aa463b9999976fd21a
ea c2 7f 95 36 ea cb dd c8 b1 f3 a6 c2 68 ac b7 16 15 11 7b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
af e6 1e a5 a3 11 f0 d0 56 9f 10 6f f6 86 87 0a 69 f7 fc 77
Full chain:
c8 f2 a7 80 de f7 1f 3e 52 9e f9 57 17 f7 f5 2a cb 25 dd 1a
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully. ......................................................................................................
Output of CertUtil -dump at Issuing CA ................................................................................
X509 Certificate:
Version: 3
Serial Number: 142661aa000000000004
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
Algorithm Parameters:
30 00
Issuer:
CN=DOMAIN Issuing CA
DC=CHILD
DC=DOMAIN
DC=ad
NotBefore: 9/9/2011 2:26 PM
NotAfter: 9/8/2013 2:26 PM
Subject:
E=EMAILID@na.DOMAIN.com
CN=SERVERVPN002.CHILD.DOMAIN.ad
OU=SALES
O=DOMAIN Technologies
L=Milton
S=GA
C=US
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 c1 5e 03 a0 62 ed db
0010 e1 24 81 06 d6 8b 89 32 e4 5b 01 c4 a0 9f bd ec
0020 24 67 e7 74 ee 7a dd 3a 1d 3b 8b 7b 00 44 21 a3
0030 83 78 67 75 47 c0 3d 61 ae 72 e0 ec 8f f1 22 72
0040 9e d9 95 5b 61 ce 0a a7 93 24 f5 f3 42 05 36 86
0050 25 d1 4f 36 da bc 21 c1 fe 13 d1 c5 34 d7 2e 18
0060 60 a3 77 92 95 be ac ab 47 52 b0 e7 42 a6 f2 6e
0070 d9 75 23 26 57 89 c7 24 16 29 3b 08 51 a7 ba ae
0080 bb 9b 9c 12 82 12 bc 8d 1d fc 5c 26 d9 e1 df 5d
0090 ac ef d2 7a f1 d9 b8 35 87 b5 e8 53 41 56 61 82
00a0 4f 1b 65 2f cd 15 df 40 c9 42 7c 78 61 da 45 d2
00b0 52 7c 18 c9 d9 6f 1f ed c5 46 b5 26 7b 7e 9f a7
00c0 4c 9e 07 fa 85 7f 4c e4 44 4b 8c 70 d1 b8 66 47
00d0 c7 d5 96 e2 16 85 98 0b 5d c4 cd 44 85 11 00 c5
00e0 40 ea 93 c1 dc b4 60 a7 73 8d 49 78 74 3b 8a fe
00f0 2b 26 99 16 96 1a d5 d2 58 8a 90 68 86 df ea 34
0100 cf 86 5c 09 42 44 2f bb e3 02 03 01 00 01
Certificate Extensions: 8
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
de 22 a0 21 8d 83 a5 ca f7 3e fc 66 ad 6f b3 0a 11 89 ac 1c
1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2e
Certificate Template Information
Template=1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548
Major Version Number=100
Minor Version Number=4
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=63 22 90 af 78 31 a0 ff 15 d5 a4 db 67 52 00 b1 53 43 81 4c
2.5.29.31: Flags = 0, Length = 158
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl
URL=http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 190
Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=ldap:///CN=DOMAIN%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?cACertificate?base?objectClass=certificationAuthority
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt
[3]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1a
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Server Authentication
[2]Application Certificate Policy:
Policy Identifier=Client Authentication
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
Algorithm Parameters:
30 00
Signature: UnusedBits=0
0000 1f 12 2c 7a ec 3b d4 79 1a 80 2f 30 80 2d b4 90
0010 ba 80 35 cb de 94 91 db 21 9b 81 4a 37 e7 75 20
0020 58 12 57 a5 b4 1d a6 0e ed 20 44 d2 de 93 33 14
0030 d0 6f d7 c1 bb c0 a3 59 ef fc 3f ac 14 7e fd 30
0040 3e bd 94 ea 3c a9 3e a1 a7 12 1c 0b b4 5b 89 ce
0050 68 53 0b bc f2 6e 86 b6 21 77 d4 4a ad 26 48 46
0060 45 f7 0b d7 09 b4 c7 88 40 fd 18 83 66 0c 3c a9
0070 56 ee 33 38 ae 17 c5 38 c8 f3 fb f8 97 02 fe 53
0080 84 7f 2e 69 87 d5 16 d7 a5 fa ec e7 dc 3f 77 d6
0090 23 d7 07 2b ae a2 54 9b c6 14 c2 28 ff 7b 21 11
00a0 12 20 5c c5 96 90 d0 64 91 8b af 2c 6f d6 bb 79
00b0 96 89 a3 90 b1 2b 66 d6 c8 6f 00 6d 1a 7a c7 80
00c0 a0 08 8d 94 88 df cc 60 94 96 00 6d ab 67 e3 66
00d0 72 dd ae d5 25 34 7c 42 06 18 20 36 c4 bb d2 98
00e0 b1 a5 fd 9e a1 f1 ad 7f a2 b9 14 a4 ab 8e fe 26
00f0 b4 25 3b 57 27 f2 31 31 5e d7 75 42 50 0b b7 64
Non-root Certificate
Key Id Hash(rfc-sha1): 03 ed 0c 33 76 78 a8 68 3a a5 71 ce 63 c8 50 fc 27 dc c5 96
Key Id Hash(sha1): de 22 a0 21 8d 83 a5 ca f7 3e fc 66 ad 6f b3 0a 11 89 ac 1c
Cert Hash(md5): 82 77 14 5f ff 9d d4 cf 2b ad c3 da 86 e5 fe 38
Cert Hash(sha1): 2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41
CertUtil: -dump command completed successfully.
Another observation: My Radius server is published in AD and that has ENROLL and READ permission on the template. When I try to request certificate via MMC > Certificates (my computer) >> Personal >> Request new certificate, I get error:
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.
Though I have checked http://support.microsoft.com/kb/927066 and will try the solution, just wanted to mention if that might be related.
Manoj
September 14th, 2011 2:04pm
this setting causes this issue: Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1
you must disable alternate signature algorithms and re-issue end certificate.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Agree with Vadims, totally missed the AlternateSignatureAlgorithm!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 2:07pm