Hello!
I need to verify a certificate manually. CDP in this certificate points to indirect CRL. Hence, the issuer of CRL is not equal to the issuer of certificate.
I try the command:
certutil -verify -urlfetch last.cer
The result: Wrong issuer "Base CRL".
Then I look at CAPI2 events by means of Eventvwr.msc. There I see the following details:
- CertRejectedRevocationInfo + SubjectCertificate + IssuerCertificate + CertificateRevocationList - Action [ name] IsCrlSignedByCertIssuer - EventAuxInfo [ ProcessName] certutil.exe - CorrelationAuxInfo
In this case CRL is not signed by cert issuer, really. But why does this fact result in error?
Does certutil work with indirect CRLs?
---------------------------------------------------------------
Here are the examples of certificates and CRLs:
Root certificate:
-----BEGIN CERTIFICATE-----
MIIDkjCCAz+gAwIBAgIBATAKBgYqhQMCAgMFADCBsTENMAsGA1UEAwwEUm9vdDET
MBEGA1UEBAwKQW5jZXJzdG9uZTENMAsGA1UEKgwEQWxleDELMAkGA1UEBhMCUlUx
CjAIBgNVBAcMAU0xCjAIBgNVBAgMAUIxCjAIBgNVBAkMAUYxDjAMBgNVBAoMBUNp
dGlzMQswCQYDVQQLDAJJUzEaMBgGCCqFAwOBAwEBEgwxMTExMTExMTExMTExEjAQ
BgNVBAUTCXJvb3QtZGVtbzAeFw0xNDAxMjAxMTE5MzVaFw0xOTAxMjAxMTE5MzVa
MIGxMQ0wCwYDVQQDDARSb290MRMwEQYDVQQEDApBbmNlcnN0b25lMQ0wCwYDVQQq
DARBbGV4MQswCQYDVQQGEwJSVTEKMAgGA1UEBwwBTTEKMAgGA1UECAwBQjEKMAgG
A1UECQwBRjEOMAwGA1UECgwFQ2l0aXMxCzAJBgNVBAsMAklTMRowGAYIKoUDA4ED
AQESDDExMTExMTExMTExMTESMBAGA1UEBRMJcm9vdC1kZW1vMGMwHAYGKoUDAgIT
MBIGByqFAwICIwEGByqFAwICHgEDQwAEQLPtG9hSmmnngWcruiNwhXjGp/nPpfuT
VMmi84ffP4mxCtyb3uBKLjlZ5A4PbcOVUsEzsRUEHKsegjdrOxlB0H6jggE6MIIB
NjALBgNVHQ8EBAMCAQYwDAYGKoUDAi4GBAIFADAMBgYqhQMCLgcEAgUAMA8GA1Ud
EwEB/wQFMAMBAf8wDgYFKoUDZG8EBQwDMS42MC8GBSqFA2RwBCYwJAwDMS42DAlB
dnRvZ3JhcGgMCDEyNC0xNjUxDAgxMjgtMTgyNDAdBgNVHQ4EFgQUd7ZlyQLSTSjA
jpqhjQtChKaWqkEwbQYDVR0gBGYwZDBEBgcqhQMDgUYBMDkwDwYIKwYBBQUHAgEW
A0tDMzAmBggrBgEFBQcCAjAaHhgAdwB3AHcALgBjAGkAdABpAHMALgByAHUwCAYG
KoUDZHEBMAgGBiqFA2RxAjAIBgYqhQNkcQMwKwYDVR0QBCQwIoAPMjAxNDAxMjAx
MTE5MzVagQ8yMDE3MDEyMDExMTkzNVowCgYGKoUDAgIDBQADQQBe/n9lsH5ZPTfy
/FSV26o5CbtPW0KI2jnnEaZno7/o0CWYIEfIf23AhSdWZGTlrrZiZxTNDZ7Z+Ffe
zIsrfF4P
-----END CERTIFICATE-----
CRL Issuer certificate
-----BEGIN CERTIFICATE-----
MIIERDCCA/GgAwIBAgIBBTAKBgYqhQMCAgMFADCBsTENMAsGA1UEAwwEUm9vdDET
MBEGA1UEBAwKQW5jZXJzdG9uZTENMAsGA1UEKgwEQWxleDELMAkGA1UEBhMCUlUx
CjAIBgNVBAcMAU0xCjAIBgNVBAgMAUIxCjAIBgNVBAkMAUYxDjAMBgNVBAoMBUNp
dGlzMQswCQYDVQQLDAJJUzEaMBgGCCqFAwOBAwEBEgwxMTExMTExMTExMTExEjAQ
BgNVBAUTCXJvb3QtZGVtbzAeFw0xNDAxMjAxMTIwMjNaFw0xNTAxMjAxMTIwMjNa
MIGwMQ8wDQYDVQQEDAZTaG1pZHQxDTALBgNVBCoMBE1hcnkxDjAMBgNVBAoMBUNp
dGlzMQswCQYDVQQGEwJSVTEaMBgGCCqFAwOBAwEBEgwyMjIyMjIyMjIyMjIxPDA6
BgNVBAMMM9Ce0YLQstC10YLRgdGC0LLQtdC90L3Ri9C5INC30LAg0LLRi9C/0YPR
gdC6INCh0J7QoTEXMBUGA1UEBRMOY2Etc2VydmVyLWRlbW8wYzAcBgYqhQMCAhMw
EgYHKoUDAgIjAQYHKoUDAgIeAQNDAARAkBgIPAo/L5QFz0gtmFlLSqz1FnbyD7oi
xpYCVHHSsF7oCL5W8zhnuSEGojKy50Jj5rhW3RBhYWQ6fUWi5Hl37qOCAe0wggHp
MAsGA1UdDwQEAwIBAjAMBgYqhQMCLgcEAgUAMBIGA1UdEwEB/wQIMAYBAf8CAQAw
DgYFKoUDZG8EBQwDMS42MC8GBSqFA2RwBCYwJAwDMS42DAlBdnRvZ3JhcGgMCDEy
NC0xNjUxDAgxMjgtMTgyNDBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAKGJmh0
dHA6Ly9kZW1vLnJ1L25ldHN0b3JlL215ZmlsZS9yb290LzAvMB0GA1UdDgQWBBRE
WCyx9T+MkQatqmGY3r+oT5JOUjAfBgNVHSMEGDAWgBR3tmXJAtJNKMCOmqGNC0KE
ppaqQTCBgwYDVR0fBHwwejBGoESgQoZAbGRhcDovL2RlbW8ucnUvY249Um9vdENE
UCxkYz1ydT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTAwoC6gLIYq
aHR0cDovL2RlbW8ucnUvbmV0c3RvcmUvY3JsL3Jvb3RfY2l0aXMuY3JsMG0GA1Ud
IARmMGQwRAYHKoUDA4FGATA5MA8GCCsGAQUFBwIBFgNLQzMwJgYIKwYBBQUHAgIw
Gh4YAHcAdwB3AC4AYwBpAHQAaQBzAC4AcgB1MAgGBiqFA2RxATAIBgYqhQNkcQIw
CAYGKoUDZHEDMAoGBiqFAwICAwUAA0EAeYfB6IHfulp+2k+L3jD0OWPDC0T5KoUh
T5wabhE/DHRGq6foD0xhqT47BmsN+vKX1xPfS7OEtf5VLGuXTL6cFw==
-----END CERTIFICATE-----
Last certificate:
-----BEGIN CERTIFICATE-----
MIIF4TCCBY6gAwIBAgIBCzAKBgYqhQMCAgMFADCBsTENMAsGA1UEAwwEUm9vdDET
MBEGA1UEBAwKQW5jZXJzdG9uZTENMAsGA1UEKgwEQWxleDELMAkGA1UEBhMCUlUx
CjAIBgNVBAcMAU0xCjAIBgNVBAgMAUIxCjAIBgNVBAkMAUYxDjAMBgNVBAoMBUNp
dGlzMQswCQYDVQQLDAJJUzEaMBgGCCqFAwOBAwEBEgwxMTExMTExMTExMTExEjAQ
BgNVBAUTCXJvb3QtZGVtbzAeFw0xNDAxMjAxMTM2MjhaFw0xOTAxMjAxMTM2Mjha
MIGlMQswCQYDVQQDDAJVTDEOMAwGA1UEBAwFRnJhbmsxCjAIBgNVBCoMAU4xCzAJ
BgNVBAYTAlJVMQowCAYDVQQHDAFKMQowCAYDVQQIDAFOMQowCAYDVQQJDAFVMQ4w
DAYDVQQKDAVDaXRpczELMAkGA1UECwwCSVMxGjAYBggqhQMDgQMBARIMMzMzMzMz
MzMzMzMzMRAwDgYDVQQFEwd1bC1kZW1vMGMwHAYGKoUDAgITMBIGByqFAwICIwEG
ByqFAwICHgEDQwAEQC5vdfTGVhFtWPyMNNGdOeE24bM+aBsZTidyEHa3tSrpKATp
Hki6eemDz9woSPCUhRr6+dbHt6YbKbCBfpq+W4qjggOVMIIDkTALBgNVHQ8EBAMC
AgQwDAYGKoUDAi4GBAIFADAMBgYqhQMCLgcEAgUAMA8GA1UdEwEB/wQFMAMBAf8w
QgYIKwYBBQUHAQEENjA0MDIGCCsGAQUFBzAChiZodHRwOi8vZGVtby5ydS9uZXRz
dG9yZS9teWZpbGUvcm9vdC8wLzAdBgNVHQ4EFgQUTxPPAtZ2BTGJiv6GqIA+f+EG
cPowHwYDVR0jBBgwFoAUd7ZlyQLSTSjAjpqhjQtChKaWqkEwggHyBgNVHR8EggHp
MIIB5TCB+6BAoD6GPGxkYXA6Ly9kZW1vLnJ1L2NuPUNEUCxkYz1ydT9jZXJ0aWZp
Y2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeaKBtqSBszCBsDEPMA0GA1UEBAwGU2ht
aWR0MQ0wCwYDVQQqDARNYXJ5MQ4wDAYDVQQKDAVDaXRpczELMAkGA1UEBhMCUlUx
GjAYBggqhQMDgQMBARIMMjIyMjIyMjIyMjIyMTwwOgYDVQQDDDPQntGC0LLQtdGC
0YHRgtCy0LXQvdC90YvQuSDQt9CwINCy0YvQv9GD0YHQuiDQodCe0KExFzAVBgNV
BAUTDmNhLXNlcnZlci1kZW1vMIHkoCmgJ4YlaHR0cDovL2RlbW8ucnUvbmV0c3Rv
cmUvY3JsL2NpdGlzLmNybKKBtqSBszCBsDEPMA0GA1UEBAwGU2htaWR0MQ0wCwYD
VQQqDARNYXJ5MQ4wDAYDVQQKDAVDaXRpczELMAkGA1UEBhMCUlUxGjAYBggqhQMD
gQMBARIMMjIyMjIyMjIyMjIyMTwwOgYDVQQDDDPQntGC0LLQtdGC0YHRgtCy0LXQ
vdC90YvQuSDQt9CwINCy0YvQv9GD0YHQuiDQodCe0KExFzAVBgNVBAUTDmNhLXNl
cnZlci1kZW1vMA4GBSqFA2RvBAUMAzEuNjAvBgUqhQNkcAQmMCQMAzEuNgwJQXZ0
b2dyYXBoDAgxMjQtMTY1MQwIMTI4LTE4MjQwbQYDVR0gBGYwZDBEBgcqhQMDgUYB
MDkwDwYIKwYBBQUHAgEWA0tDMzAmBggrBgEFBQcCAjAaHhgAdwB3AHcALgBjAGkA
dABpAHMALgByAHUwCAYGKoUDZHEBMAgGBiqFA2RxAjAIBgYqhQNkcQMwKwYDVR0Q
BCQwIoAPMjAxNDAxMjAxMTM2MjhagQ8yMDE3MDEyMDExMzYyOFowCgYGKoUDAgID
BQADQQBWdGk9qyp7fDyY/EPQxyXk0EtwfMmuRjBU/NygbIz5rQxpO/5WYalSELve
Db+JGSew4AXf91F5roOyGFKdGK3q
-----END CERTIFICATE-----
CRL for last cetificate (issued by CRL Issuer)
-----BEGIN X509 CRL-----
MIIB4zCCAZACAQEwCgYGKoUDAgIDBQAwgbAxDzANBgNVBAQMBlNobWlkdDENMAsG
A1UEKgwETWFyeTEOMAwGA1UECgwFQ2l0aXMxCzAJBgNVBAYTAlJVMRowGAYIKoUD
A4EDAQESDDIyMjIyMjIyMjIyMjE8MDoGA1UEAwwz0J7RgtCy0LXRgtGB0YLQstC1
0L3QvdGL0Lkg0LfQsCDQstGL0L/Rg9GB0Log0KHQntChMRcwFQYDVQQFEw5jYS1z
ZXJ2ZXItZGVtbxcNMTQwMTIyMDYxMjI4WhcNMTQwMjIxMDYxMjI4WqCBrTCBqjAf
BgNVHSMEGDAWgBREWCyx9T+MkQatqmGY3r+oT5JOUjA3BgNVHRwEMDAuoCmgJ4Yl
aHR0cDovL2RlbW8ucnUvbmV0c3RvcmUvY3JsL2NpdGlzLmNybIQB/zBCBggrBgEF
BQcBAQQ2MDQwMgYIKwYBBQUHMAKGJmh0dHA6Ly9kZW1vLnJ1L25ldHN0b3JlL215
ZmlsZS9yb290LzEvMAoGA1UdFAQDAgEGMAoGBiqFAwICAwUAA0EAcuRAHjNPDs3E
DR8Z3LOuqehQ48cZb1uNTefCshUGQNZCsrQpGNxPDeXis0BJj9xKai6pSxQVKNUl
PpOpu6e8KA==
-----END X509 CRL-----
CRL for CRL Issuer (issued by Root)
-----BEGIN X509 CRL-----
MIIBZTCCARICAQEwCgYGKoUDAgIDBQAwgbExDTALBgNVBAMMBFJvb3QxEzARBgNV
BAQMCkFuY2Vyc3RvbmUxDTALBgNVBCoMBEFsZXgxCzAJBgNVBAYTAlJVMQowCAYD
VQQHDAFNMQowCAYDVQQIDAFCMQowCAYDVQQJDAFGMQ4wDAYDVQQKDAVDaXRpczEL
MAkGA1UECwwCSVMxGjAYBggqhQMDgQMBARIMMTExMTExMTExMTExMRIwEAYDVQQF
Ewlyb290LWRlbW8XDTE0MDEyMDExMTkzNVoXDTE0MDIxOTExMTkzNVqgLzAtMB8G
A1UdIwQYMBaAFHe2ZckC0k0owI6aoY0LQoSmlqpBMAoGA1UdFAQDAgEBMAoGBiqF
AwICAwUAA0EAUG4jStMr+OiofIv5jIV1Aco+BPjuTP1w8uO2jIAyzmrcc4ROQTA6
b6o0Aib0N4jHBnEdzbAMMdmc35TCQye3/Q==
-----END X509 CRL-----
Thanks in advance.
Regards, Marina.