CRL Revocation always failed
hi all,
i try configure radius server nps, somehow certificate authentication client failed with reason:
reason = revocation function unable check revocation because revocation server offline.
then check certificate client, certutil -f -urlfetch -verify client7.cer, result follow:
issuer:
cn=entca
dc=intra
dc=domain
dc=co
dc=sg
subject:
cn=computer.intra.domain.co.sg
cert serial number: 1c5b00de000000000041
dwflags = ca_verify_flags_allow_untrusted_root (0x1)
dwflags = ca_verify_flags_ignore_offline (0x2)
dwflags = ca_verify_flags_full_chain_revocation (0x8)
dwflags = ca_verify_flags_console_trace (0x20000000)
dwflags = ca_verify_flags_dump_chain (0x40000000)
chainflags = cert_chain_revocation_check_chain (0x20000000)
hcce_local_machine
cert_chain_policy_base
-------- cert_chain_context --------
chaincontext.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
chaincontext.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
chaincontext.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)
simplechain.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
simplechain.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
simplechain.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)
certcontext[0][0]: dwinfostatus=102 dwerrorstatus=1000040
issuer: cn=entca, dc=intra, dc=domain, dc=co, dc=sg
notbefore: 4/6/2013 9:40 pm
notafter: 7/5/2013 9:40 pm
subject: cn=client7.intra.domain.co.sg
serial: 1c5b00de000000000041
subjectaltname: dns name=client7.intra.domain.co.sg
template: test certificate template
ce e4 e7 c9 8b f5 b1 b2 cf 6d 53 a1 e1 cd 44 11 ec e6 f3 8f
element.dwinfostatus = cert_trust_has_key_match_issuer (0x2)
element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
element.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
element.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)
---------------- certificate aia ----------------
verified "certificate (0)" time: 0
[0.0] http://webca/cert/entca.crt
verified "certificate (0)" time: 0
[1.0] ldap:///cn=entca,cn=aia,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?cacertificate?base?objectclass=certificationauthority
---------------- certificate cdp ----------------
verified "base crl (01)" time: 0
[0.0] http://webca/cert/entca.crl
failed "cdp" time: 0
error retrieving url: error 0x80190190 (-2145844848)
[0.0.0] http://webca/cert/%3%8%9.crl
failed "cdp" time: 0
error retrieving url: specified server cannot perform requested operation. 0x8007003a (win32: 58)
[0.1.0] ldap://myldapserver/cn=%7%8,cn=%2,cn=cdp,cn=public%20key%20services,cn=services,%6%10
verified "base crl (01)" time: 0
[1.0] ldap:///cn=entca,cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?certificaterevocationlist?base?objectclass=crldistributionpoint
failed "cdp" time: 0
error retrieving url: error 0x80190190 (-2145844848)
[1.0.0] http://webca/cert/%3%8%9.crl
failed "cdp" time: 0
error retrieving url: specified server cannot perform requested operation. 0x8007003a (win32: 58)
[1.1.0] ldap://myldapserver/cn=%7%8,cn=%2,cn=cdp,cn=public%20key%20services,cn=services,%6%10
---------------- base crl cdp ----------------
failed "cdp" time: 0
error retrieving url: error 0x80190190 (-2145844848)
http://webca/cert/%3%8%9.crl
failed "cdp" time: 0
error retrieving url: specified server cannot perform requested operation. 0x8007003a (win32: 58)
ldap://myldapserver/cn=%7%8,cn=%2,cn=cdp,cn=public%20key%20services,cn=services,%6%10
---------------- certificate ocsp ----------------
no urls "none" time: 0
--------------------------------
crl 01:
issuer: cn=entca, dc=intra, dc=domain, dc=co, dc=sg
69 6c 99 0c 15 ba 11 69 7d 32 72 6a 7a d9 52 7a 13 1d 03 9c
application[0] = 1.3.6.1.5.5.7.3.2 client authentication
crl 2b:
issuer: cn=rootca
5f 45 99 28 cf 6b 07 32 31 b7 58 de 0e a3 8c 8b ac 24 6b
certcontext[0][2]: dwinfostatus=10c dwerrorstatus=0
issuer: cn=rootca
notbefore: 12/2/2005 4:15 pm
notafter: 12/2/2021 4:21 pm
subject: cn=rootca
serial: 4de76da26f2ac5bf4e3b7ee613511a83
bb 64 62 48 93 fe da 36 14 6d 44 fe 57 37 36 8d c8 bc d2 81
element.dwinfostatus = cert_trust_has_name_match_issuer (0x4)
element.dwinfostatus = cert_trust_is_self_signed (0x8)
element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
---------------- certificate aia ----------------
no urls "none" time: 0
---------------- certificate cdp ----------------
no urls "none" time: 0
---------------- certificate ocsp ----------------
no urls "none" time: 0
--------------------------------
verified issuance policies: none
verified application policies:
1.3.6.1.5.5.7.3.2 client authentication
error: verifying leaf certificate revocation status returned revocation function unable check revocation because revocation server offline. 0x80092013 (-2146885613)
certutil: revocation function unable check revocation because revocation server offline.
certutil: -verify command completed successfully.
anyone call tell me wrong configuration?
other question,
1. how change configuration base crl cdp?
2. why old ldap certifcate cdp remain when urlfetch, whereas delete?how to delete old ldap certificate cdp?
thanks.
endrik
endrik | blog: itendrik.wordpress.com please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.
hi all,
sorry late response.
struggling time,
make changes setting cdp on certficate authority>proporties, extension tab crl cdp still no luck (even restart service , server multiple times).
i check result certutil -f -urlfetch, base crl test still failed (no changes), aia , cdp verified.
then made changes on registry crlpublicationurls below:
65:c:\windows\system32\certsrv\certenroll\%3%8%9.crl
65:d:\certenroll\%3%8%9.crl
79:ldap:///cn=%7%8,cn=%2,cn=cdp,cn=public key services,cn=services,%6%10
6:http://webca.intra.domain.co.sg/cert/%3%8%9.crl -> follow brian advice's
restart service , server still same, check result certutil -f -urlfetch, base crl test still failed (no changes), aia , cdp verified.
then try renew the entca to root ca, install entca. request new certificate client, revocation success below:
issuer:cn=entca
dc=intra
dc=domain
dc=co
dc=sg
subject:
cn=computer.intra.domain.co.sg
cert serial number: 21bf72ab000100000049
dwflags = ca_verify_flags_allow_untrusted_root (0x1)
dwflags = ca_verify_flags_ignore_offline (0x2)
dwflags = ca_verify_flags_full_chain_revocation (0x8)
dwflags = ca_verify_flags_console_trace (0x20000000)
dwflags = ca_verify_flags_dump_chain (0x40000000)
chainflags = cert_chain_revocation_check_chain (0x20000000)
hcce_local_machine
cert_chain_policy_base
-------- cert_chain_context --------
chaincontext.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
simplechain.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
certcontext[0][0]: dwinfostatus=102 dwerrorstatus=0
issuer: cn=entca, dc=intra, dc=domain, dc=co, dc=sg
notbefore: 4/7/2013 10:48 pm
notafter: 7/6/2013 10:48 pm
subject: cn=computer.intra.domain.co.sg
serial: 21bf72ab000100000049
subjectaltname: dns name=computer.intra.domain.co.sg
template: test certificate template
b4 9d 03 04 cf 21 ad bf cc 6d a7 3d b5 71 35 7e ba 5f 41 b4
element.dwinfostatus = cert_trust_has_key_match_issuer (0x2)
element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
---------------- certificate aia ----------------
verified "certificate (0)" time: 0
[0.0] http://webca.intra.domain.co.sg/cert/entca(1).crt
wrong issuer "certificate (1)" time: 0
[1.0] ldap:///cn=entca,cn=aia,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?cacertificate?base?objectclass=certificationauthority
verified "certificate (0)" time: 0
[1.1] ldap:///cn=entca,cn=aia,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?cacertificate?base?objectclass=certificationauthority
---------------- certificate cdp ----------------
verified "base crl (03)" time: 0
[0.0] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?certificaterevocationlist?base?objectclass=crldistributionpoint
verified "delta crl (03)" time: 0
[0.0.0] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?deltarevocationlist?base?objectclass=crldistributionpoint
verified "delta crl (03)" time: 0
[0.0.1] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?deltarevocationlist?base?objectclass=crldistributionpoint
verified "base crl (03)" time: 0
[1.0] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?certificaterevocationlist?base?objectclass=crldistributionpoint
verified "delta crl (03)" time: 0
[1.0.0] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?deltarevocationlist?base?objectclass=crldistributionpoint
verified "delta crl (03)" time: 0
[1.0.1] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?deltarevocationlist?base?objectclass=crldistributionpoint
---------------- base crl cdp ----------------
ok "delta crl (03)" time: 0
[0.0] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?deltarevocationlist?base?objectclass=crldistributionpoint
ok "delta crl (03)" time: 0
[1.0] ldap:///cn=entca(1),cn=entcaserver,cn=cdp,cn=public%20key%20services,cn=services,cn=configuration,dc=intra,dc=domain,dc=co,dc=sg?deltarevocationlist?base?objectclass=crldistributionpoint
---------------- certificate ocsp ----------------
no urls "none" time: 0
--------------------------------
crl 03:
issuer: cn=entca, dc=intra, dc=domain, dc=co, dc=sg
ae 38 8e f5 ba 21 3b 99 15 18 6d c6 59 5e f2 da 8f 10 d7 99
delta crl 03:
issuer: cn=entca, dc=intra, dc=domain, dc=co, dc=sg
1d 25 b0 b6 41 d9 1b 05 48 ef df 2d 45 e5 66 55 10 07 5e f5
application[0] = 1.3.6.1.5.5.7.3.2 client authentication
certcontext[0][3]: dwinfostatus=10c dwerrorstatus=0
issuer: cn=rootca
notbefore: 12/2/2005 4:15 pm
notafter: 12/2/2021 4:21 pm
subject: cn=rootca
serial: 4de76da26f2ac5bf4e3b7ee613511a83
bb 64 62 48 93 fe da 36 14 6d 44 fe 57 37 36 8d c8 bc d2 81
element.dwinfostatus = cert_trust_has_name_match_issuer (0x4)
element.dwinfostatus = cert_trust_is_self_signed (0x8)
element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
---------------- certificate aia ----------------
no urls "none" time: 0
---------------- certificate cdp ----------------
no urls "none" time: 0
---------------- certificate ocsp ----------------
no urls "none" time: 0
--------------------------------
exclude leaf cert:
02 fa d5 f6 3a db 95 14 a0 dd 6a a8 94 93 09 36 8e 45 f9 51
full chain:
fe 9f a6 b5 f6 73 bc 00 8e d4 4f d6 85 b5 b0 b0 92 34 63 13
------------------------------------
verified issuance policies: none
verified application policies:
1.3.6.1.5.5.7.3.2 client authentication
leaf certificate revocation check passed
certutil: -verify command completed successfully.
based on lab, conclusion here:
1. base crl cdp change after renew issuing ca
2. before start ca service, make sure crl cdp , aia configuration correct.
3. crl , delta crl can publish via file share, no need manually copy web revocation crl, add on crl cdp.
thanks lutz , brian. correct me if i'm wrong.
thanks again.
regards,
endrik
endrik | blog: itendrik.wordpress.com please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.
Windows Server > Security
Comments
Post a Comment