Hi there
I just set up a pki: 1 offline root CA + 1 online issuing CA.
OS: Windows server 2k8 R2
I run the Certutil -verify -urlfetch certfilename.cer (where certifilename.cer its the name of the certificate installed on my exchange server), and I get the following results:, its says the revocation check failed
Issuer:CN=CAISSUING
O=COMPANY
C=CO
Subject:
CN=server01.mydomain.corp
OU=IT
O=COMAPNY
C=CO
Cert Serial Number: 1848d547000000000012
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=CAISSUING, O=COMPANY, C=CO
NotBefore: 05/06/2013 08:39 a.m.
NotAfter: 05/06/2015 08:39 a.m.
Subject: CN=server01.mydomain.corp, OU=IT, O=COMPANY,C=CO
Serial: 1848d547000000000012
SubjectAltName: DNS Name=server01.mydomain.corp, DNS Name=mail.mydomain.com, DNS Name=autodiscover.mydomain.corp, DNS Name=server01, DNS Name=outlook.mydomain.com
Template: TemplateWeb
49 a8 b4 95 51 f5 f1 bb 10 ee 61 e9 1d 1f 27 12 51 fb 72 89
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Revocation Check Failed "Certificate (0)" Time: 0
[0.0] http://pki.mydomain.corp/AIA/CAISSUING.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (0b)" Time: 0
[0.0] http://pki.mydomain.corp/CDP/CAISSUING.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0b:
Issuer: CN=CAISSUING, O=COMPANY, C=CO
ea bc f1 ce 2c 44 e9 55 76 2e a5 fb 10 7b 43 0e 2c 1f ba 2a
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=ROOTCA, O=COMPANY, C=CO
NotBefore: 30/05/2013 04:15 p.m.
NotAfter: 30/05/2023 04:25 p.m.
Subject: CN=CAISSUING, O=COMPANY, C=CO
Serial: 11cd98ed000000000002
Template: SubCA
0a 5f 70 ec f5 01 9f 65 a3 c6 0a 65 ef c8 07 9f 6b 53 5a df
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file://SERVERPKI/CertEnroll/SERVERPKI_ROOTCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file://SERVERPKI/CertEnroll/ROOTCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=ROOTCA, O=COMPANY, C=CO
NotBefore: 30/05/2013 11:49 a.m.
NotAfter: 30/05/2033 11:59 a.m.
Subject: CN=ROOTCA, O=COMPANY, C=CO
Serial: 663ed3499da366b1481e9d523010061c
03 2f b6 77 4c a4 3c 3e 52 78 22 4d 2c e7 35 3a d7 75 8f b7
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
21 73 9a 59 1b 53 fb 24 11 b5 e3 52 2a e8 a0 de e8 9e 40 b0
Full chain:
f3 c1 25 66 20 6e 23 52 e9 de f1 ef 59 f2 54 44 68 d1 77 a2
Issuer: CN=CAISSUING, O=COMPANY, C=CO
NotBefore: 05/06/2013 08:39 a.m.
NotAfter: 05/06/2015 08:39 a.m.
Subject: CN=server01.mydomain.corp, OU=IT, O=COMPANY, C=CO
Serial: 1848d547000000000012
SubjectAltName: DNS Name=server01.mydomain.corp, DNS Name=mail.mydomain.com, DNS Name=autodiscover.mydomain.corp, DNS Name=server01, DNS Name=outlook.mydomain.com
Template: TemplateWeb
49 a8 b4 95 51 f5 f1 bb 10 ee 61 e9 1d 1f 27 12 51 fb 72 89
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Any advices?
Regards,
CAS