revocation check failure
Hi ,
I've the problem of revocation checking failure .
My environment
A windows 2008 R2 OFFLINE ROOT CA ( standard )
A windows 2008 R2 ISSUING SUBCA ( Enterprise )
when checking a certificate with
certutil -verify -urlfetch cert.cer
I got the following error on every server I run the command ( except the ISSUING CA itself )
ertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=ISSUING-CA1, DC=company, DC=lan
NotBefore: 6/19/2012 3:12 PM
NotAfter: 6/19/2014 3:12 PM
Subject: CN=Helpdesk, OU=ICT, OU=Utenti, DC=company, DC=lan
Serial: 2eeb721600030000003f
SubjectAltName: Other Name:Principal
Name=helpdesk@company.com
Template: Smartcard Logon
99 36 cf 22 c5 f1 3a ee 04 8b 55 ea c5 c6 03 ae ac 1b f1 03
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
The ROOT CA AIA and CDP are set to http://pki.company.com/ca/.....
The ISSUING CA AIA and CDP are set to http://pki.company.com/ca/.....
can anyone help me ?
thank
June 20th, 2012 9:27am
I've solved the issue , however the smartcardlogon with windows 7 fails due to revocation check failure
What should I look for now ?
any help is appreciated
thanks
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 10:45am
It sounds that you haven't solved the issue. Can you copy/paste full 'certutil -verify -urlfetch' command output?My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 20th, 2012 11:02am
Hi Vadims ,
below a verification od a revoked certificate
I ran this from a DC ( which is not the CA )
Issuer:
CN=company-CA1
DC=company
DC=lan
Subject:
CN=company Helpdesk
OU=ICT
OU=Marano
OU=Utenti
DC=company
DC=lan
Cert Serial Number: 2eeb721600030000003f
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
ChainContext.dwRevocationFreshnessTime: 2 Hours, 21 Minutes, 23 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
SimpleChain.dwRevocationFreshnessTime: 2 Hours, 21 Minutes, 23 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=4
Issuer: CN=company-CA1, DC=company, DC=lan
NotBefore: 6/19/2012 3:12 PM
NotAfter: 6/19/2014 3:12 PM
Subject: CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan
Serial: 2eeb721600030000003f
SubjectAltName: Other Name:Principal
Name=helpdesk@company.com
Template: Pcotto Smartcard Logon
99 36 cf 22 c5 f1 3a ee 04 8b 55 ea c5 c6 03 ae ac 1b f1 03
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://pki.company.com/ca/company-CA1.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (0117)" Time: 0
[0.0] http://pki.company.com/ca/company-CA1.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0115:
Issuer: CN=company-CA1, DC=company, DC=lan
47 31 e8 c4 e5 0c 15 77 f8 a6 c4 06 48 92 07 44 2c 10 e7 25
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=company-ROOT-CA
NotBefore: 5/16/2012 5:28 PM
NotAfter: 5/16/2017 5:38 PM
Subject: CN=company-CA1, DC=company, DC=lan
Serial: 610bcde900010000000c
Template: SubCA
c2 1b 95 b8 4f fb 76 27 51 dd 0a bc cc 0d d9 34 32 9c ea fc
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0]
http://pki.company.com/CA/company-ROOT-CA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (4e)" Time: 0
[0.0]
http://pki.company.com/CA/company-ROOT-CA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 4e:
Issuer: CN=company-ROOT-CA
46 d0 e4 ec ea 38 e7 d2 ae 1e 66 ea 6a f9 2c a2 75 90 7d ee
Issuance[0] = 1.3.6.1.4.1.311.21.43
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=company-ROOT-CA
NotBefore: 3/28/2011 2:49 AM
NotAfter: 5/16/2032 5:27 PM
Subject: CN=company-ROOT-CA
Serial: 0a2442a2cd6fcc8c44d4c1a7a4818a7b
2e a1 96 ca 32 75 ac 0a a7 54 59 c2 b1 55 b1 74 c7 62 af 74
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Issuance[0] = 1.3.6.1.4.1.311.21.43
Exclude leaf cert:
62 82 64 c3 07 33 3d a1 3a a4 00 07 c0 fe fc 0a 16 80 b9 d5
Full chain:
0d 87 7e c1 ce bd 73 8a e2 5a da a2 6b 86 eb da e3 ba 3c bf
Issuer: CN=company-CA1, DC=company, DC=lan
NotBefore: 6/19/2012 3:12 PM
NotAfter: 6/19/2014 3:12 PM
Subject: CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan
Serial: 2eeb721600030000003f
SubjectAltName: Other Name:Principal
Name=helpdesk@company.com
Template: Pcotto Smartcard Logon
99 36 cf 22 c5 f1 3a ee 04 8b 55 ea c5 c6 03 ae ac 1b f1 03
The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=0)
CertUtil: -verify command completed successfully.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 11:25am
the second dump shows that leaf certificate (Subject: CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan) is revoked.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 20th, 2012 2:28pm
Yes I know it.
I purposely posted a revoked certificate just to show that the verification works fine , but this is not the certificate I'm using for smart card logon
thanks
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 3:53pm
then you should post the same output against the certificate that causes revocation checking problems.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 20th, 2012 4:07pm
here the dump of a valid certificate
Autorit emittente:
CN=company-CA1
DC=company
DC=lan
Soggetto:
E=helpdesk@company.com
CN=company Helpdesk
OU=ICT
OU=Marano
OU=Utenti
DC=company
DC=lan
Numero di serie certificato: 3497bd70000300000049
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 12 Hours, 33 Minutes, 40 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 12 Hours, 33 Minutes, 40 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=company-CA1, DC=company, DC=lan
NotBefore: 20/06/2012 17:39
NotAfter: 20/06/2014 17:39
Subject: E=helpdesk@company.com, CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan
Serial: 3497bd70000300000049
SubjectAltName: Altro nome:Nome principale=helpdesk@company.com, Nome RFC822=helpdesk@company.com
Template: Pcotto Users
17 80 4e 29 27 0f d2 5d a3 f0 dc fd 12 39 ee 02 67 8f bd ea
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- AIA certificato ----------------
Verificato "Certificato (0)" Ora: 0
[0.0] http://pki.company.com/ca/company-CA1.crt
---------------- CDP certificato ----------------
Verificato "Base CRL (0117)" Ora: 0
[0.0] http://pki.company.com/ca/company-CA1.crl
---------------- CDP Base CRL ----------------
Nessun URL "Nessuna" Ora: 0
---------------- OCSP certificato ----------------
Nessun URL "Nessuna" Ora: 0
--------------------------------
CRL 0117:
Issuer: CN=company-CA1, DC=company, DC=lan
c7 77 16 18 30 77 79 5e bd 09 6e 58 b8 1a 53 93 53 dd 55 a2
Application[0] = 1.3.6.1.5.5.7.3.2 Autenticazione client
Application[1] = 1.3.6.1.5.5.7.3.4 Posta elettronica sicura
Application[2] = 1.3.6.1.4.1.311.10.3.4 Crittografia file system
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=company-ROOT-CA
NotBefore: 16/05/2012 17:28
NotAfter: 16/05/2017 17:38
Subject: CN=company-CA1, DC=company, DC=lan
Serial: 610bcde900010000000c
Template: SubCA
c2 1b 95 b8 4f fb 76 27 51 dd 0a bc cc 0d d9 34 32 9c ea fc
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- AIA certificato ----------------
Verificato "Certificato (0)" Ora: 0
[0.0] http://pki.company.com/CA/company-ROOT-CA.crt
---------------- CDP certificato ----------------
Verificato "Base CRL (4e)" Ora: 0
[0.0] http://pki.company.com/CA/company-ROOT-CA.crl
---------------- CDP Base CRL ----------------
Nessun URL "Nessuna" Ora: 0
---------------- OCSP certificato ----------------
Nessun URL "Nessuna" Ora: 0
--------------------------------
CRL 4e:
Issuer: CN=company-ROOT-CA
46 d0 e4 ec ea 38 e7 d2 ae 1e 66 ea 6a f9 2c a2 75 90 7d ee
Issuance[0] = 1.3.6.1.4.1.311.21.43
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=company-ROOT-CA
NotBefore: 28/03/2011 02:49
NotAfter: 16/05/2032 17:27
Subject: CN=company-ROOT-CA
Serial: 0a2442a2cd6fcc8c44d4c1a7a4818a7b
2e a1 96 ca 32 75 ac 0a a7 54 59 c2 b1 55 b1 74 c7 62 af 74
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- AIA certificato ----------------
Nessun URL "Nessuna" Ora: 0
---------------- CDP certificato ----------------
Nessun URL "Nessuna" Ora: 0
---------------- OCSP certificato ----------------
Nessun URL "Nessuna" Ora: 0
--------------------------------
Issuance[0] = 1.3.6.1.4.1.311.21.43
Exclude leaf cert:
09 d5 1d 38 ea 9b a0 b8 bc cd 2a cb 2c 6d 24 fe 23 cd 80 d1
Full chain:
44 08 04 cb 9a 2d a9 39 c3 d1 74 f9 8e fc b5 80 33 5d 27 7b
------------------------------------
Criteri di rilascio verificati: Nessuna
Criteri di applicazione verificati:
1.3.6.1.5.5.7.3.2 Autenticazione client
1.3.6.1.5.5.7.3.4 Posta elettronica sicura
1.3.6.1.4.1.311.10.3.4 Crittografia file system
Controllo di revoca certificato foglia superato
CertUtil: - Esecuzione comando verify riuscita.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 10:07pm
hi,
the output is not english, so please help to dump a one with english. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 21st, 2012 5:26am