Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 13, 2015 12:03 AM
Hello everybody.
It was migrated a Windows 2008 R2 Enterprise Root CA on a Windows 2012 R2 Offline Root CA + Sub CA.
Root CRL add to LDAP
certutil –dspublish –f "C:\CDRootCA\Root Certificate.crl" "Certificate Authority..."
When a client requests a certificate error occurs.
Active Directory Certificate Services denied request 412 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK). Additional information: Error Constructing or Publishing Certificate
When testing
certutil -verify -urlfetch subca.cer
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
Revocation check skipped - server offline
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
In the second test.
certutil -url subca.cer
CRL (from CDP) - Failed
I would be very grateful tip.
MCITP, MCSE. Regards, Oleg
All replies (5)
Tuesday, October 13, 2015 2:29 PM ✅Answered
Issue closed.
After adding a CRL in LDAP. It took reissue SubCA.
With the release of SubCA checked CRL Root CA. With his lack of written and gives SubCA marked.
Revocation Status: The revocation function was unable to check revocation for the certificate.
After signing SubCA certificates earned.
MCITP, MCSE. Regards, Oleg
Tuesday, October 13, 2015 5:18 AM
can you post a full dump of "certutil -verify -urlfetch subca.cer" command?
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
Tuesday, October 13, 2015 6:44 AM
Hi,
Please make sure that the client is able to access at least one of the CDP listed in the subca.cer.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Tuesday, October 13, 2015 12:21 PM
Issuer:
CN=Company Certificate Authority
DC=Company
DC=org
Name Hash(sha1): 12a8fbb0998c92c2f73486e3ac5f96a3e6ab1765
Name Hash(md5): 4f4bcf3f9004ce434d07e46bfc695afc
Subject:
CN=Company Certificate Subordinate Authority
OU=Information Systems
O=Company Org
C=US
Name Hash(sha1): 776d6fc95204a474354401817065e4844acb58b1
Name Hash(md5): 3977a4d60c49cfbd4756951f2a83472c
Cert Serial Number: 6123302d000200002e69
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
CERT_CHAIN_CONTEXT
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=Company Certificate Authority, DC=Company, DC=org
NotBefore: 10/11/2015 11:07 PM
NotAfter: 6/5/2019 3:17 PM
Subject: CN=Company Certificate Subordinate Authority, OU=Information Systems, O=Company Org, C=US
Serial: 6123302d000200002e69
Template: SubCA
1b17a47351692f2a078dd5b75d3d11f30d3414d7
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Certificate AIA
Verified "Certificate (0)" Time: 0
[0.0] ldap:///CN=Company%20Association%20Certificate%20Authority,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=org?cACertificate?base?objectClass=certificationAuthority
Certificate CDP
Failed "CDP" Time: 0
Error retrieving URL: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
ldap:///CN=Company%20Association%20Certificate%20Authority(1),CN=RootPKI,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
Certificate OCSP
No URLs "None" Time: 0
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Company Certificate Authority, DC=Company, DC=org
NotBefore: 5/29/2009 7:04 PM
NotAfter: 6/5/2019 3:17 PM
Subject: CN=Company Certificate Authority, DC=Company, DC=org
Serial: 7ae9fcca60829fa64cbd39bf99e729b7
e7746458a96f7aea98eb8aa5623267b5baa76500
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Certificate AIA
No URLs "None" Time: 0
Certificate CDP
Expired "Base CRL (0764)" Time: 0
[0.0] ldap:///CN=Company%20Association%20Certificate%20Authority(1),CN=oldEnterprice01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
Expired "Delta CRL (0764)" Time: 0
[0.0.0] ldap:///CN=Company%20Association%20Certificate%20Authority(1),CN=oldEnterprice01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
[0.1.0] http://oldEnterprice01.Company.org/CertEnroll/Company%20Association%20Certificate%20Authority(1)+.crl
Verified "Base CRL (0cfb)" Time: 0
[1.0] http://oldEnterprice01.Company.org/CertEnroll/Company%20Association%20Certificate%20Authority(1).crl
Certificate OCSP
No URLs "None" Time: 0
Exclude leaf cert:
1b17a47351692f2a078dd5b75d3d11f30d3414d7
Full chain:
f3dbdace25cdcccb69a1e48a75aa48aacf1da941
Issuer: CN=Company Certificate Authority, DC=Company, DC=org
NotBefore: 10/11/2015 11:07 PM
NotAfter: 6/5/2019 3:17 PM
Subject: CN=Company Certificate Subordinate Authority, OU=Information Systems, O=Company Org, C=US
Serial: 6123302d000200002e69
Template: SubCA
1b17a47351692f2a078dd5b75d3d11f30d3414d7
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
Revocation check skipped -- server offline
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
Found.
The problem CDP, as the single point of CRL checking was LDAP.
New Root CA Offline and LDAP does not write.
Certificate CDP
Failed "CDP" Time: 0
Error retrieving URL: The system can not find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
ldap:///CN=Company%20Association%20Certificate%20Authority(1),CN=RootPKI,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
Now it is necessary figure out how to write in this way CRL
ldap:///CN=Company%20Association%20Certificate%20Authority(1),CN=RootPKI,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
MCITP, MCSE. Regards, Oleg
Tuesday, October 13, 2015 1:33 PM
AddedCRLin LDAP. Changed response test, the error remains the same.
Answer.
Certificate CDP
No IDP Intersection "Base CRL (0cfb)" Time:0
Error.
The revocation function was unable to check revocation because the revocation server was offline.0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
Revocation check skipped - server offline
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline.0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
MCITP, MCSE. Regards, Oleg