Announcement

Collapse
No announcement yet.

Certificate revocation check from external network - Fails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate revocation check from external network - Fails

    I am having an issue with a non-domain client connecting to remote desktop web apps. Upon connecting I receive this error message:
    "A revocation check could not be performed for the certificate "
    My issue is very similar to this posting:
    http://social.technet.microsoft.com/...-42fceaf66a77/

    My non-domain computer has the Root CA installed.

    My CRL distribution points are as follows:
    [1]CRL Distribution Point
    Distribution Point Name:
    Full Name:
    URL=ldap:///CN=chaseit-WIN2K8R2DC-CA,CN=Win2k8R2DC,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=chaseit,DC=local? certificateRevocationList?base?objectClass=cRLDist ributionPoint
    URL=http://win2k8r2dc.chaseit.local/External/chaseit-WIN2K8R2DC-CA.crl

    So as you can see I have the traditional LDAP location first, then I have the HTTP location.

    Upon using the certutil -URL certification.cer it simply returns: (null) in the command window.

    From what I have read in other threads, I should be getting messages like this:
    Status Type Url
    Verified Base CRL (52) [0.0]http://xxxxx/xxxx.crl
    Failed CDP [0.0.0]ldap:///CNxxxxx....
    Failed CDP [0.1.0]http://dc1.xx.local/xxxx....
    Verified Delta CRL (52) [0.0.2]http://xxxxx/xxxx.crl

    Ideas?

    Thanks,
    C

  • #2
    Re: Certificate revocation check from external network - Fails

    I'm gonna take a wild stab in the dark, and say, it's trying to connect to the CA, to download the Certificate Revocation List (or CRL)
    however, it's not able to identify chaseit.local (as you're external to the domain) and because it cannot download the CRL to validate the certificate, it just assumes it's not valid (as it's supposed to)
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Certificate revocation check from external network - Fails

      Not quite. This is on the same subnet. The URL is accessible if I type into Internet Explorer so I know it is available. Here is some output... Take notice to how when I use the -URL tag it returns <null>, however whenever I tell it to verify, it shows the distribution points. Is the root CA not creating the certificates correctly?

      Once again the root CA is installed in the root store. I get no error messages when navigating to a website that has that cert.

      Code:
      C:\temp>certutil -f -url "win2k8r2memb1_allpurpose - BASE.cer"
      (null)
      
      C:\temp>certutil -url "win2k8r2memb1_allpurpose - BASE.cer"
      (null)
      
      C:\temp>certutil -f -urlfetch -verify "win2k8r2memb1_allpurpose - BASE.cer"
      
          CN=chaseit-WIN2K8R2DC-CA
          DC=chaseit
          DC=local
      
          CN=WIN2K8R2MEMB1
          CN=Computers
          DC=chaseit
          DC=local
      (null) 198b83bb00000000001b
      
      dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
      dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
      dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
      dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
      dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
      ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
      HCCE_LOCAL_MACHINE
      CERT_CHAIN_POLICY_BASE
      -------- CERT_CHAIN_CONTEXT --------
      ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
      SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
      
      CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
        Issuer: CN=chaseit-WIN2K8R2DC-CA, DC=chaseit, DC=local
        NotBefore: 12/7/2009 11:46 PM
        NotAfter: 12/7/2011 11:56 PM
        Subject: CN=WIN2K8R2MEMB1, CN=Computers, DC=chaseit, DC=local
        Serial: 198b83bb00000000001b
        SubjectAltName: Other Name:Principal [email protected]
        Template: 1.3.6.1.4.1.311.21.8.1751896.3471333.7752366.1484346.6168036.76.1029
      4277.8505284
        03 5f ef 2a 33 bf a8 39 6e a4 b8 5f 5b 27 42 4c a6 85 d2 a1
        Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
        Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
        Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
        ----------------  (null)  ----------------
        ??? "???" (null) 0
          Error retrieving URL: The specified network resource or device is no longer
      available. 0x80070037 (WIN32: 55)
          ldap:///CN=chaseit-WIN2K8R2DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Servic
      es,CN=Configuration,DC=chaseit,DC=local?cACertificate?base?objectClass=certifica
      tionAuthority
      
        ??? "???" (null) 0
          Error retrieving URL: Error 0x80190194 (-2145844844)
          http://win2k8r2dc.chaseit.local/External/Win2k8R2DC.chaseit.local_chaseit-WI
      N2K8R2DC-CA.crt
      
        ----------------  (null)  ----------------
        ??? "Base CRL (10)" (null) 0
          [0.0] http://win2k8r2dc.chaseit.local/External/chaseit-WIN2K8R2DC-CA.crl
      
        ??? "Delta CRL (10)" (null) 0
          [0.0.0] http://win2k8r2dc.chaseit.local/External/chaseit-WIN2K8R2DC-CA+.crl
      
        ??? "???" (null) 0
          Error retrieving URL: The specified network resource or device is no longer
      available. 0x80070037 (WIN32: 55)
          [0.1.0] ldap:///CN=chaseit-WIN2K8R2DC-CA,CN=Win2k8R2DC,CN=CDP,CN=Public%20Ke
      y%20Services,CN=Services,CN=Configuration,DC=chaseit,DC=local?deltaRevocationLis
      t?base?objectClass=cRLDistributionPoint
      
        ??? "???" (null) 0
          Error retrieving URL: The specified network resource or device is no longer
      available. 0x80070037 (WIN32: 55)
          ldap:///CN=chaseit-WIN2K8R2DC-CA,CN=Win2k8R2DC,CN=CDP,CN=Public%20Key%20Serv
      ices,CN=Services,CN=Configuration,DC=chaseit,DC=local?certificateRevocationList?
      base?objectClass=cRLDistributionPoint
      
        ----------------  (null)  ----------------
        ??? "???" (null) 0
        --------------------------------
      
      Exclude leaf cert:
        da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
      Full chain:
        03 5f ef 2a 33 bf a8 39 6e a4 b8 5f 5b 27 42 4c a6 85 d2 a1
      Missing Issuer: CN=chaseit-WIN2K8R2DC-CA, DC=chaseit, DC=local
        Issuer: CN=chaseit-WIN2K8R2DC-CA, DC=chaseit, DC=local
        NotBefore: 12/7/2009 11:46 PM
        NotAfter: 12/7/2011 11:56 PM
        Subject: CN=WIN2K8R2MEMB1, CN=Computers, DC=chaseit, DC=local
        Serial: 198b83bb00000000001b
        SubjectAltName: Other Name:Principal [email protected]
        Template: 1.3.6.1.4.1.311.21.8.1751896.3471333.7752366.1484346.6168036.76.1029
      4277.8505284
        03 5f ef 2a 33 bf a8 39 6e a4 b8 5f 5b 27 42 4c a6 85 d2 a1
      A certificate chain could not be built to a trusted root authority. 0x800b010a (
      -2146762486)
      ------------------------------------
      (null)
      (null)
          CN=chaseit-WIN2K8R2DC-CA, DC=chaseit, DC=local
      (null)
      (null)
      It looks like it can access it since it is not throwing back a network error...
      ??? "Base CRL (10)" (null) 0
      [0.0] http://win2k8r2dc.chaseit.local/Exte...2K8R2DC-CA.crl

      ??? "Delta CRL (10)" (null) 0
      [0.0.0] http://win2k8r2dc.chaseit.local/Exte...K8R2DC-CA+.crl

      Ideas?
      -C

      Comment


      • #4
        Re: Certificate revocation check from external network - Fails

        Found out the root cause of the issue. Even though I had the Root CA cert in my personal store, apparently there is a Computer root store also. Upon storing the certificate in the Computer's trust root folder, it worked.

        Comment

        Working...
        X