Hi , I've the problem of revocation checking failure . My environment A windows 2008 R2 OFFLINE ROOT CA ( standard ) A windows 2008 R2 ISSUING SUBCA ( Enterprise ) when checking a certificate with certutil -verify -urlfetch cert.cer I got the following error on every server I run the command ( except the ISSUING CA itself ) ertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=ISSUING-CA1, DC=company, DC=lan NotBefore: 6/19/2012 3:12 PM NotAfter: 6/19/2014 3:12 PM Subject: CN=Helpdesk, OU=ICT, OU=Utenti, DC=company, DC=lan Serial: 2eeb721600030000003f SubjectAltName: Other Name:Principal Name=helpdesk@company.com Template: Smartcard Logon 99 36 cf 22 c5 f1 3a ee 04 8b 55 ea c5 c6 03 ae ac 1b f1 03 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) The ROOT CA AIA and CDP are set to http://pki.company.com/ca/..... The ISSUING CA AIA and CDP are set to http://pki.company.com/ca/..... can anyone help me ? thank

I've solved the issue , however the smartcardlogon with windows 7 fails due to revocation check failure What should I look for now ? any help is appreciated thanks

It sounds that you haven't solved the issue. Can you copy/paste full 'certutil -verify -urlfetch' command output?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims , below a verification od a revoked certificate I ran this from a DC ( which is not the CA ) Issuer: CN=company-CA1 DC=company DC=lan Subject: CN=company Helpdesk OU=ICT OU=Marano OU=Utenti DC=company DC=lan Cert Serial Number: 2eeb721600030000003f dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) ChainContext.dwRevocationFreshnessTime: 2 Hours, 21 Minutes, 23 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) SimpleChain.dwRevocationFreshnessTime: 2 Hours, 21 Minutes, 23 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=4 Issuer: CN=company-CA1, DC=company, DC=lan NotBefore: 6/19/2012 3:12 PM NotAfter: 6/19/2014 3:12 PM Subject: CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan Serial: 2eeb721600030000003f SubjectAltName: Other Name:Principal Name=helpdesk@company.com Template: Pcotto Smartcard Logon 99 36 cf 22 c5 f1 3a ee 04 8b 55 ea c5 c6 03 ae ac 1b f1 03 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://pki.company.com/ca/company-CA1.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (0117)" Time: 0 [0.0] http://pki.company.com/ca/company-CA1.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 0115: Issuer: CN=company-CA1, DC=company, DC=lan 47 31 e8 c4 e5 0c 15 77 f8 a6 c4 06 48 92 07 44 2c 10 e7 25 Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=company-ROOT-CA NotBefore: 5/16/2012 5:28 PM NotAfter: 5/16/2017 5:38 PM Subject: CN=company-CA1, DC=company, DC=lan Serial: 610bcde900010000000c Template: SubCA c2 1b 95 b8 4f fb 76 27 51 dd 0a bc cc 0d d9 34 32 9c ea fc Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://pki.company.com/CA/company-ROOT-CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (4e)" Time: 0 [0.0] http://pki.company.com/CA/company-ROOT-CA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 4e: Issuer: CN=company-ROOT-CA 46 d0 e4 ec ea 38 e7 d2 ae 1e 66 ea 6a f9 2c a2 75 90 7d ee Issuance[0] = 1.3.6.1.4.1.311.21.43 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=company-ROOT-CA NotBefore: 3/28/2011 2:49 AM NotAfter: 5/16/2032 5:27 PM Subject: CN=company-ROOT-CA Serial: 0a2442a2cd6fcc8c44d4c1a7a4818a7b 2e a1 96 ca 32 75 ac 0a a7 54 59 c2 b1 55 b1 74 c7 62 af 74 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Issuance[0] = 1.3.6.1.4.1.311.21.43 Exclude leaf cert: 62 82 64 c3 07 33 3d a1 3a a4 00 07 c0 fe fc 0a 16 80 b9 d5 Full chain: 0d 87 7e c1 ce bd 73 8a e2 5a da a2 6b 86 eb da e3 ba 3c bf Issuer: CN=company-CA1, DC=company, DC=lan NotBefore: 6/19/2012 3:12 PM NotAfter: 6/19/2014 3:12 PM Subject: CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan Serial: 2eeb721600030000003f SubjectAltName: Other Name:Principal Name=helpdesk@company.com Template: Pcotto Smartcard Logon 99 36 cf 22 c5 f1 3a ee 04 8b 55 ea c5 c6 03 ae ac 1b f1 03 The certificate is revoked. 0x80092010 (-2146885616) ------------------------------------ Certificate is REVOKED Leaf certificate is REVOKED (Reason=0) CertUtil: -verify command completed successfully.

the second dump shows that leaf certificate (Subject: CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan) is revoked.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Yes I know it. I purposely posted a revoked certificate just to show that the verification works fine , but this is not the certificate I'm using for smart card logon thanks

then you should post the same output against the certificate that causes revocation checking problems.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

here the dump of a valid certificate Autorit emittente: CN=company-CA1 DC=company DC=lan Soggetto: E=helpdesk@company.com CN=company Helpdesk OU=ICT OU=Marano OU=Utenti DC=company DC=lan Numero di serie certificato: 3497bd70000300000049 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 12 Hours, 33 Minutes, 40 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 12 Hours, 33 Minutes, 40 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=company-CA1, DC=company, DC=lan NotBefore: 20/06/2012 17:39 NotAfter: 20/06/2014 17:39 Subject: E=helpdesk@company.com, CN=company Helpdesk, OU=ICT, OU=Marano, OU=Utenti, DC=company, DC=lan Serial: 3497bd70000300000049 SubjectAltName: Altro nome:Nome principale=helpdesk@company.com, Nome RFC822=helpdesk@company.com Template: Pcotto Users 17 80 4e 29 27 0f d2 5d a3 f0 dc fd 12 39 ee 02 67 8f bd ea Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- Verificato "Certificato (0)" Ora: 0 [0.0] http://pki.company.com/ca/company-CA1.crt ---------------- CDP certificato ---------------- Verificato "Base CRL (0117)" Ora: 0 [0.0] http://pki.company.com/ca/company-CA1.crl ---------------- CDP Base CRL ---------------- Nessun URL "Nessuna" Ora: 0 ---------------- OCSP certificato ---------------- Nessun URL "Nessuna" Ora: 0 -------------------------------- CRL 0117: Issuer: CN=company-CA1, DC=company, DC=lan c7 77 16 18 30 77 79 5e bd 09 6e 58 b8 1a 53 93 53 dd 55 a2 Application[0] = 1.3.6.1.5.5.7.3.2 Autenticazione client Application[1] = 1.3.6.1.5.5.7.3.4 Posta elettronica sicura Application[2] = 1.3.6.1.4.1.311.10.3.4 Crittografia file system CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=company-ROOT-CA NotBefore: 16/05/2012 17:28 NotAfter: 16/05/2017 17:38 Subject: CN=company-CA1, DC=company, DC=lan Serial: 610bcde900010000000c Template: SubCA c2 1b 95 b8 4f fb 76 27 51 dd 0a bc cc 0d d9 34 32 9c ea fc Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- Verificato "Certificato (0)" Ora: 0 [0.0] http://pki.company.com/CA/company-ROOT-CA.crt ---------------- CDP certificato ---------------- Verificato "Base CRL (4e)" Ora: 0 [0.0] http://pki.company.com/CA/company-ROOT-CA.crl ---------------- CDP Base CRL ---------------- Nessun URL "Nessuna" Ora: 0 ---------------- OCSP certificato ---------------- Nessun URL "Nessuna" Ora: 0 -------------------------------- CRL 4e: Issuer: CN=company-ROOT-CA 46 d0 e4 ec ea 38 e7 d2 ae 1e 66 ea 6a f9 2c a2 75 90 7d ee Issuance[0] = 1.3.6.1.4.1.311.21.43 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=company-ROOT-CA NotBefore: 28/03/2011 02:49 NotAfter: 16/05/2032 17:27 Subject: CN=company-ROOT-CA Serial: 0a2442a2cd6fcc8c44d4c1a7a4818a7b 2e a1 96 ca 32 75 ac 0a a7 54 59 c2 b1 55 b1 74 c7 62 af 74 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- Nessun URL "Nessuna" Ora: 0 ---------------- CDP certificato ---------------- Nessun URL "Nessuna" Ora: 0 ---------------- OCSP certificato ---------------- Nessun URL "Nessuna" Ora: 0 -------------------------------- Issuance[0] = 1.3.6.1.4.1.311.21.43 Exclude leaf cert: 09 d5 1d 38 ea 9b a0 b8 bc cd 2a cb 2c 6d 24 fe 23 cd 80 d1 Full chain: 44 08 04 cb 9a 2d a9 39 c3 d1 74 f9 8e fc b5 80 33 5d 27 7b ------------------------------------ Criteri di rilascio verificati: Nessuna Criteri di applicazione verificati: 1.3.6.1.5.5.7.3.2 Autenticazione client 1.3.6.1.5.5.7.3.4 Posta elettronica sicura 1.3.6.1.4.1.311.10.3.4 Crittografia file system Controllo di revoca certificato foglia superato CertUtil: - Esecuzione comando verify riuscita.

hi, the output is not english, so please help to dump a one with english. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.