Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 5, 2012 1:12 PM
Hi,
installing ADCS Enteprise issuing CA running on Win2008 R2. The windows CA is a sub CA, an offline Root CA has issued the CA certificate.
When trying to "Install CA Certificate" this error message is displayed:
active directory certificate services cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revication because the revication server was offline. 0x80092013 (-2146885613)
Using certutil -verify -urlfetch WinCACert.crt shows that there´s a CDP Problem
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Certificate CDP
Bad Cert Issuer "Base CRL (08)" Time: 0
[0.0] http://crl.domain.com/RootCA.crl
Bad Cert Issuer "Base CRL (08)" Time: 0
[1.0] ldap:///CN=RootCA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configura
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
Revocation check skipped -- server offline
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
In internet explorer, I can type in http://crl.domain.com/RootCA.crl and download the crl, so it seems to be reachable.
I have imported the Root CA certificate and CRL to local certificate store + published them to AD.
Any suggestions? They are most welcome!
Regards, Daniel
All replies (15)
Thursday, April 12, 2012 10:45 AM ✅Answered
We opened a case with MS support.
From MS support: the issuer field of the CA certificate has the CERT_RDN_UTF8_STRING encoding format while the CRL is signed by a certificate which (appears identical but) has the CERT_RDN_PRINTABLE_STRING encoding format
During the certificate chain validation (from the end entity to a trusted root) the KeyId is used to create the certificate chain and it works independently of the subject and issuer codification (PrintableString or UTF8)
During the status validation, a binary comparison is made between the certificate issuer and the CRL issuer, so both field must use the same codification in order to match (PrintableString or UTF8)
We must re-issue and re-publish the CRLs from the Root CA and make sure the encoding of the issuer field matches
Thursday, April 5, 2012 3:05 PM
the error indicates that CRL (in the CDP links) was signed by other CA, not the CA that signed your CA's certificate.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
Saturday, April 7, 2012 2:43 PM
ok, that's interesting. I suppose that SERIALNUMBER and CN values in the CRLs issuer field should match the serial number of the root CA Cert. Do you know of any additional methods of verifying if the CRL was signed by the same CA Cert that I´ve imported into AD and the local cert store?
Saturday, April 7, 2012 4:49 PM
The best match method is to compare Authority Key Identifier (AKI) extension in CRL and Subject Key Identifier (SKI) extension in issuer certificate. Also, you may need to check whether the signature in CRL is valid (a time ago I had similar issue, when CRL was damaged, but showed in UI normally).
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
Saturday, April 7, 2012 7:17 PM
thanks, vill compare AIA and SKI. How did you detect the error in the damaged CRL?
Best regards, Daniel
Saturday, April 7, 2012 8:59 PM
By verifying CRL signature against issuer certificate.
p.s. not AIA, but AKI.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
Tuesday, April 10, 2012 8:15 AM
Subject Key Identifier (SKI) of the Root CA certificate matches Authority Key Identifier (AKI) of the CRL.
Can the CRL still be damaged?
Tuesday, April 10, 2012 8:28 AM
yes. You can try to use my PowerShell PKI module ( http://pspki.codeplex.com/ ) which contains extensions for X.509 CRL profile. Also I have a blog post about this issue: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=64
When you install the module, open PowerShell console (elevation is not required) and type:
Import-Module PSPKI
$crl = Get-CRL -Path "path\file.crl"
$crl.VerifySignature("path\issuer.cer")
if the method returns True, then CRL file is valid and wasn't changed since CA has signed it.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
Tuesday, April 10, 2012 12:34 PM
cool, will try the PowerShell PKI module later today. I've renew the RootCA CRL, error remains the same. This error does not occur in another test enviroment, I've compared Root CA cert + Root CA CRL + WinCA cert in both environments, looks the same. I´ve executed certutil -verify -urlfetch WinCACert.crt from a Windows7 PC, same error as on the CA server. strange.
Tuesday, April 10, 2012 2:35 PM
method returns True
Import-Module PSPKI
$crl = Get-CRL -Path "path\RootCA.crl"
$crl.VerifySignature("path\RootCA.cer")
Using certutil -verify -urlfetch WinCACert.crt still shows that there´s a CDP Problem
Regards, Daniel
Tuesday, April 10, 2012 7:25 PM
can you send me these files (CA cert and CRL)? vpodans&sysadmins.lv
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
Thursday, April 12, 2012 10:46 AM
Thanks for your assistance, much appreciated!
Thursday, April 12, 2012 11:23 AM
And still, can I ask you to send me these files? I'll look into and will try to improve my PS module.
also, did they told how this issue happens? Why CA server didn't followed encoding rules for CRLs?
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
Monday, April 16, 2012 8:46 AM
Hi, I will chek if this is ok.
BR, Daniel
Thursday, October 12, 2017 9:40 AM
Interesting, is there a way to check the encoding of the issuer field ?