I have a group of Windows 2012 R2 servers that keep getting "hits" on Nessus scans via ID 57582 & 51192 both regarding self-signed certs and ports 3389& 1433 RDP and SQL respectively

57582=SSL Self-Signed Certificate

51192=SSL Certificate Cannot Be Trusted

Can anyone give me a link on how to resolve these vulnerabilities:  I found the below blurb during a search, but not enough info to resolve: 

"DP (Port 3389) generates self-signing certificates by default. This will actually keep auto-generating these self-signed certs. I cannot find the Microsoft link we used to fix this, but I remember it. If the server is already issued a compliant certificate, you have to add it to the certificate store on the server, more specifically the private key tab. Once we did that, it leveraged the issued cert. and stopped auto-generating the self-signed ones and all the vulnerabilities went away. If you search for something like that, I am sure it will come up. We found it on the Microsoft Social TechNet forums, if that helps."  "SQL (Port 1433) has a self-signed certificate created by the default installation, but can be configured as well."  

Please help, Jim

I am looking at enabling smb sigining as client. However, I am unable to find any information about how to install certificate and which certificate it uses. Any idea?

Thanks

Hi all,

I configured Path length contraint none in both Root CA and Issuing CA, this is vulnerable and not recommended?

Regards

Mahesh

When duplicating the pre-existing "Workstation Authentication" template for distribution, regardless of name provided to new template I get a message popup like the one attached.

Any thoughts?

I do this cause it pays the bills...

I've run into this issue several times recently, and I can't believe I'm the only one.  In today's paranoia-based security world, corporate security demands that no user be an admin of their machine.  I don't like it, but I get it.  The problem is that in large corporation siloed IT departments, that usually includes everybody except the End User Support group.  I support hundreds of IIS and SharePoint servers with tens of thousands sites.  Because I'm not an admin of my machine, I can't go in to Add Features and install the AD and IIS management tools, which I wouldn't need if the ActiveDirectory and WebAdministration modules were still available as downloads (if they are still available, they're well hidden).  I tried to load the RSAT tools to get the AD module, but I need to be an admin to do that.  Why aren't these modules and others like them, available as downloads from PSGallery anymore?  Are they readily available in any other repository or site that I download them from?

I am setting up a two tier PKI architecture. When configuring the Root CA I made a typo in the URL for for some of the repositories that went unnoticed  until I finished configuration on the ICAs. I decided to uninstall ADCS on the two ICAs, reinstall it, and issue them new certificates that had the corrected values. 

The problem is now that I cannot start the CS service without disable checking for CRLs because it reports my CRL server is offline.

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  SUN Behavioral Certificate Authority ICA1 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

PKIview shows they are online, and can download. And the ICA certificate seems to pass all health checks. My guess is that I have some orphaned configuration settings somewhere from the old installation, but I cant find it. 

certutil -verify -urlfetch C:\issuingICA1.crt
Issuer:
    CN=SUN Behavioral Certificate Authority
  Name Hash(sha1): 5397c531fcc0d367bbe90a6902a18b0bc19ea8bb
  Name Hash(md5): 0308e448c70b204cd8deaace6a129327
Subject:
    CN=SUN Behavioral Certificate Authority ICA1
    DC=sun
    DC=local
  Name Hash(sha1): 23d1ae6e6072d585da914eae713af3aabece2c75
  Name Hash(md5): ad70aaf70d6f711526bc6b64914a288e
Cert Serial Number: 1a0000000704307ca595cc5fbf000000000007

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 32 Minutes, 9 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 32 Minutes, 9 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SUN Behavioral Certificate Authority
  NotBefore: 5/31/2019 3:24 PM
  NotAfter: 5/31/2029 3:34 PM
  Subject: CN=SUN Behavioral Certificate Authority ICA1, DC=sun, DC=local
  Serial: 1a0000000704307ca595cc5fbf000000000007
  Template: SubCA
  Cert: 7689421401077c5f65c43af3b3676f506bc8bc95
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.sunbehavioral.com/pki/SUN-ROOTSUN%20Behavioral%20Certificate%20Authority.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (10)" Time: 0
    [0.0] http://pki.sunbehavioral.com/pki/SUN-ROOT.crl

  Verified "Delta CRL (10)" Time: 0
    [0.0.0] http://pki.sunbehavioral.com/pki/SUN-ROOT+.crl

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (10)" Time: 0
    [0.0] http://pki.sunbehavioral.com/pki/SUN-ROOT+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 10:
    Issuer: CN=SUN Behavioral Certificate Authority
    ThisUpdate: 5/31/2019 4:11 PM
    NextUpdate: 6/1/2039 4:31 AM
    CRL: 2cdd336f50a9b053f321a566e9731b3f0cb1c02a
    Delta CRL 10:
    Issuer: CN=SUN Behavioral Certificate Authority
    ThisUpdate: 5/31/2019 4:11 PM
    NextUpdate: 6/2/2019 4:31 AM
    CRL: 74c0698e31f8c24bfd70a87480498ebaff58fa22

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=SUN Behavioral Certificate Authority
  NotBefore: 5/22/2019 9:56 AM
  NotAfter: 5/22/2039 10:06 AM
  Subject: CN=SUN Behavioral Certificate Authority
  Serial: 1d7aa3a5ed6c17814a516849996371f3
  Cert: f4d9b6c19ef2b2038f42da33bcb2844cdb113efb
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.53953.1

Exclude leaf cert:
  Chain: 07c3f4a4cd85bbe1f65325b78ddc959b83987c71
Full chain:
  Chain: 418b0685e5f45385dd7460bedcd6386253e49992
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

C:\windows\system32>

While generating certificates through MS-CA web enrollment services, certificates are getting published in Microsoft ADDS against CAADMIN user. How to publish these certificates against respective user?

We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.

Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?

There are two errors in the event log -

Event ID:      16
Description:
Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).

Event ID:      6
Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.

The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 

Thanks in advance.

i'm bit new to ADCS, there was a issue raised from our client saying the certificate Web enrollment page is accessible for anyone connected to network. It works this way, 1) accessing the URL https://xx.xx.xx.xx/certsrv/Default.asp, this URL doesn't have HTTPS and shows up a warning have to proceed unsafe  2) Passing through (continue to website) the HTTP connection establishes and browser asks for authentication (username , password) and 2 options,"submit" and "cancel" 3) When hit on Cancel it shows authentication denied error with error code 404. 4) At this point by hitting on refresh it lands on Web Enrollment page instead of asking for authentication again, which is a authentication by-pass. This works successfully for every user, especially on Chrome and Internet Explorer and fails on Firefox browser. What exactly could be happening?, how can this be fixed?  

Hey

I have installed OCSP on win 2008 R2 , and i already have win 2008 R2 CertificateServices, and i have included the URL of OCSP on the AIA of issued certificates.Is there is any tool, or a way to test that the OCSP really is working and reporting the health of certificates ?

Hi,

I want to implement additional security mitigations on top of Retpoline like in below article.

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618

To do so I need bitwise OR'd into FeatureSettingsOverride and FeatureSettingsOverrideMask like in below example:

Example: Feature settings values for enabling SSBD (speculative store bypass) system wide:
FeatureSettingsOverride = 0x8 and FeatureSettingsOverrideMask = 0
To add Retpoline, feature settings value for Retpoline (0x400) should be bitwise OR'd:
FeatureSettingsOverride = 0x408 and FeatureSettings OverrideMask = 0x400

In my scenario I have added below settings according to:
https://support.microsoft.com/en-in/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Now I made bitwise OR and receive:

FeatureSettingsOverride: 9288 (decimal)
FeatureSettingsOverrideMask: 1027 (decimal)

If I understood correctly this values in registry give me protection for all latest vulnerabilities with Retpoline enabled. 
Of course I have checked support hardware and updated microcode. I am curious if someone implement this solution.

Hi,

Could anybody give me a hint on how to grant RPC permissions for specific group / service account ondomain controllers? 

We are deploying lic. inventory tool and instead of installing agent in T0 (where DCs are) I decided to do an inventory of all DCs over a network from single probe server that is also placed in T0 - this provides me better security. But unfortunately, it requires some perms on such target netw. device to gather info about licenses; RPC specifically... and I don't want to delegate such through domain admins group since that would be way too much. 

Any ideas, hints? 

Hey I got a simple HA/AG SQL 2017 on the latest CU14.

I am trying to copy users from the primary to the secondary and it all works well on port 1433.

I can enable/disable the firewall and the script works as expected.

The problem is that when the 1433 TCP Port is changed to another port, the script fails whenever the firewall is enabled on the intended destination. If I disable the FW, it just works.

So i tried open ports 5022, and 49000-51000, same fail, multiple reboots, applying SQLAgent and ..CEIP.. to the firewall allowed communitaction - all fails. Process monitor does not tell me what is blocked and reports the expected ports and applications are responding as intended and succeded. 

In Powershell I used the same script, zero modifications.

My Script fails when it runs 

Invoke-Sqlcmd -Query $Query -ServerInstance 10.10.15.204

The exact failure message is

Invoke-Sqlcmd : Connection Timeout Expired.  The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement.  This could be because the pre-login handshake failed or the server was unable to respond back in time.  The duration spent while attempting to connect to this server was - [Pre-Login] initialization=19286; handshake=16099; 

At C:\scripts\powershell.ps1:344 char:17
+ ...              Invoke-Sqlcmd -Query $Query -ServerInstance 10.10.15.204
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Invoke-Sqlcmd], SqlException
    + FullyQualifiedErrorId : SqlExectionError,Microsoft.SqlServer.Management.PowerShell.GetScriptCommand

Invoke-Sqlcmd : 
At C:\scripts\powershell.ps1:344 char:17
+ ...              Invoke-Sqlcmd -Query $Query -ServerInstance 10.10.15.204
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Sqlcmd], ParserException
    + FullyQualifiedErrorId : ExecutionFailureException,Microsoft.SqlServer.Management.PowerShell.GetScriptCommand

What firewall settings should I choose

I'm trying to update my Intermediate CA in a two node cluster.

I pause the failover node and update the cert with my offline root and ad it to the store.  All this appears to work fine.  I can see my new certificate.

I import the new cert to the failover.  Update the registry to have that as a second key.

I can restart the services on the active node while the failover is paused.  Everything works.

After I failover the new certificate is not there as if the DB knows nothing about it.

If I try to fail back I get an error about "illegal operation attempted on a registry key".

If I fail back and forth once more the key is gone.

I'm following this article:  https://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx

David Jenkins

Hi,

I inherited an environment with a RHEL offline root CA ("car" and a 2008 subordinate/issuing CA (wincai).  I am trying to create a new Windows 2019 issuing CA (wincert-sub).  I have gotten to the point that the new server can issue certificates, but enterprise PKI shows an error .  I am not able to paste a picture, but the error is CA CERTIFICATE---REVOCATION STATUS UNKNOWN

Here is the fetch command that I have seen requested.  I apologize if sanitation causes readability issues:

Issuer:
    CN=WINyyy-SUB-CA
    [0,0]: yyy_RDN_PRINTABLE_STRING, Length = 14 (14/64 Characters)
        2.5.4.3 Common Name (CN)="WINyyy-SUB-CA"

        57 49 4e 43 45 52 54 2d  53 55 42 2d 43 41         WINyyy-SUB-CA

        57 00 49 00 4e 00 43 00  45 00 52 00 54 00 2d 00   W.I.N.C.E.R.T.-.
        53 00 55 00 42 00 2d 00  43 00 41 00               S.U.B.-.C.A.

  Name Hash(sha1): 72fc7b99d0f4cd1d5a291d800cad01981308f239
  Name Hash(md5): f6db2cdffa3783361cf4e7cf467675a3
Subject:
    CN=winyyy.ad.xxx.yyy.org
    [0,0]: yyy_RDN_PRINTABLE_STRING, Length = 23 (23/64 Characters)
        2.5.4.3 Common Name (CN)="winyyy.ad.xxx.yyy.org"

        77 69 6e 63 65 72 74 2e  61 64 2e 64 74 65 2e 63   winyyy.ad.xxx.c
        65 72 74 2e 6f 72 67                               ert.org

        77 00 69 00 6e 00 63 00  65 00 72 00 74 00 2e 00   w.i.n.c.e.r.t...
        61 00 64 00 2e 00 64 00  74 00 65 00 2e 00 63 00   a.d...
        65 00 72 00 74 00 2e 00  6f 00 72 00 67 00      .

  Name Hash(sha1): a13614146e7d707a9f7343b7845c77642ead7acf
  Name Hash(md5): 220a0f0d68dde7acfd64d9df76c85ab3
yyy Serial Number: 430000000aed04c2dd5ad3003500010000000a
    0000  0a 00 00 00 01 00 35 00  d3 5a dd c2 04 ed 0a 00
    0010  00 00 43

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = yyy_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
yyy_CHAIN_POLICY_BASE
-------- yyy_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = yyy_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwRevocationFreshnessTime: 3 Hours, 55 Minutes, 42 Seconds

SimpleChain.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = yyy_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwRevocationFreshnessTime: 3 Hours, 55 Minutes, 42 Seconds

yyyContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=WINyyy-SUB-CA
  NotBefore: 6/4/2019 10:19 AM
  NotAfter: 6/3/2020 10:19 AM
  Subject: CN=winyyy.ad.xxx.yyy.org
  Serial: 430000000aed04c2dd5ad3003500010000000a
  SubjectAltName: DNS Name=winyyy.ad.xxx.yyy.org
  Template: Machine
  yyy: 27caa43c8c97589d9f0e6417ace22695372b273d
  Element.dwInfoStatus = yyy_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  yyyificate AIA  ----------------
  Wrong Issuer "yyyificate (0)" Time: 0 4a234112bb74ef8c3971ee05ae4afd2c746001ae
    [0.0] ldap:///CN=WINyyy-SUB-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?cAyyyificate?base?objectClass=yyyificationAuthority

  No CRL "yyyificate (1)" Time: 0 aa81a87b96cc04cf15a674287a3287f90a000daa
    [0.1] ldap:///CN=WINyyy-SUB-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?cAyyyificate?base?objectClass=yyyificationAuthority

  No CRL "yyyificate (1)" Time: 0 aa81a87b96cc04cf15a674287a3287f90a000daa
    [1.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/winyyy.ad.xxx.yyy.org_WINyyy-SUB-CA(1).crt

  ----------------  yyyificate CDP  ----------------
  Verified "Base CRL (07)" Time: 0 265eb862c6e7862d525d9a27c288e77cbd044a70
    [0.0] ldap:///CN=WINyyy-SUB-CA(1),CN=winyyy,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?yyyificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (07)" Time: 0 74aceb86be890bb8da90b36813157c12fdbdd481
    [0.0.0] ldap:///CN=WINyyy-SUB-CA(1),CN=winyyy,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (07)" Time: 0 f8adf9553ac558875f035b6478fece9fe8c9ea82
    [0.0.1] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1)+.crl

  Verified "Base CRL (08)" Time: 0 c61b9d711b7c00d5fb0c1c10b355afd96aa07475
    [1.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1).crl

  Verified "Delta CRL (08)" Time: 0 f8adf9553ac558875f035b6478fece9fe8c9ea82
    [1.0.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1)+.crl

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (07)" Time: 0 74aceb86be890bb8da90b36813157c12fdbdd481
    [0.0] ldap:///CN=WINyyy-SUB-CA(1),CN=winyyy,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=yyy,DC=org?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Delta CRL (08)" Time: 0 f8adf9553ac558875f035b6478fece9fe8c9ea82
    [1.0] http://winyyy.ad.xxx.yyy.org/yyyEnroll/WINyyy-SUB-CA(1)+.crl

  ----------------  yyyificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 07:
    Issuer: CN=WINyyy-SUB-CA
    ThisUpdate: 6/4/2019 9:33 AM
    NextUpdate: 6/11/2019 9:53 PM
    CRL: 265eb862c6e7862d525d9a27c288e77cbd044a70
    Delta CRL 07:
    Issuer: CN=WINyyy-SUB-CA
    ThisUpdate: 6/4/2019 9:33 AM
    NextUpdate: 6/5/2019 9:53 PM
    CRL: 74aceb86be890bb8da90b36813157c12fdbdd481
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

yyyContext[0][1]: dwInfoStatus=101 dwErrorStatus=40
  Issuer: E=xxx-operations@yyy.org, CN=car.core.xxx.yyy.org, OU=Development and Test Environment, O=Software Engineering Institute, L=Arlington, S=Virginia, C=US
  NotBefore: 5/30/2019 3:10 PM
  NotAfter: 5/27/2029 3:10 PM
  Subject: CN=WINyyy-SUB-CA
  Serial: 1009
  yyy: aa81a87b96cc04cf15a674287a3287f90a000daa
  Element.dwInfoStatus = yyy_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = yyy_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ----------------  yyyificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  yyyificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  yyyificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

yyyContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: E=xxx-operations@yyy.org, CN=car.core.xxx.yyy.org, OU=Development and Test Environment, O=Software Engineering Institute, L=Arlington, S=Virginia, C=US
  NotBefore: 10/13/2016 10:06 AM
  NotAfter: 10/8/2036 10:06 AM
  Subject: E=xxx-operations@yyy.org, CN=car.core.xxx.yyy.org, OU=Development and Test Environment, O=Software Engineering Institute, L=Arlington, S=Virginia, C=US
  Serial: f74b2c5430ccc7e0
  yyy: 8e76b8f351d2f092a5e201ea6f05e2538864ce30
  Element.dwInfoStatus = yyy_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = yyy_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = yyy_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  yyyificate AIA  ----------------
  Expired "yyyificate (0)" Time: 0 50172205dc0a29ba737467ae5f68ee392a7ce59a
    [0.0] http://winpki.core.xxx.yyy.org/yyyEnroll/xxx-rootca.pem

  ----------------  yyyificate CDP  ----------------
  Verified "Base CRL (02)" Time: 0 e4446a95198cbe0cf9bbb36573cd4d15fea41a6a
    [0.0] http://winpki.core.xxx.yyy.org/yyyEnroll/xxx-rootcrl.crl

  ----------------  yyyificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf yyy:
  Chain: 057d89682dca5efb958ba4343777c389ca88c919
Full chain:
  Chain: a259b8bf0eee4aef9853813fd70b7052ee3dce60
  Issuer: CN=WINyyy-SUB-CA
  NotBefore: 6/4/2019 10:19 AM
  NotAfter: 6/3/2020 10:19 AM
  Subject: CN=winyyy.ad.xxx.yyy.org
  Serial: 430000000aed04c2dd5ad3003500010000000a
  SubjectAltName: DNS Name=winyyy.ad.xxx.yyy.org
  Template: Machine
  yyy: 27caa43c8c97589d9f0e6417ace22695372b273d
The revocation function was unable to check revocation for the yyyificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Leaf yyyificate revocation check passed
yyyUtil: -verify command completed successfully.

I am able to get to the urls listed, but I can't figure out what I am missing so that the PKI utility comes up clean for WINCERT (my new CA).  I am not as familiar with Linux offline roots as I am Windows, so maybe I missed something there?  Any help would be appreciated.