I'm using CACert for certificate verification and in Outlook none of the client certificates can be verified as the server is offline. The root is in Trusted for both HCCE_LOCAL_MACHINE and HCCE_CURRENT_USER.
The most bizarre thing is: all servers are online and I can download the CRLs. They appear to be correct and I can't understand why there's an error (because verification is OK!). I thought maybe because the root CRL against the class 1 root is so large, there could be timeouts, but using the "-t 30" doesn't change behaviour. You can see that everything is verified! But it still shows up with an error status (Class 3 intermediate) with 1000040.
If I use "certutil -f -verify -urlfetch <mycer>", then there is no error, but "failed" is present in the output. I don't know what the difference is as -f is not documented on MSDN (references http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx and http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_verify).
Note, this problem occurs on Windows 7 as well as Windows 8.1.
I have the support of the CA authority to also further investigate.
X:\>certutil -t 30 -verify -urlfetch "20130103 011232 jason@onmicrosoft.cer"
Issuer:
CN=CAcert Class 3 Root
OU=http://www.CAcert.org
O=CAcert Inc.
Subject:
E=jason@thecurls.onmicrosoft.com
CN=Jason Curl
Cert Serial Number: 011232
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=104 dwErrorStatus=0
Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
NotBefore: 03/01/2013 14:17
NotAfter: 03/01/2015 14:17
Subject: E=jason@thecurls.onmicrosoft.com, CN=Jason Curl
Serial: 011232
SubjectAltName: RFC822 Name=jason@thecurls.onmicrosoft.com
f9 3c a2 39 9b 27 0d 84 26 29 7f 9b 23 83 2c 68 56 93 d5 1e
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0
[0.0] http://crl.cacert.org/class3-revoke.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://ocsp.cacert.org
--------------------------------
CRL (null):
Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
aa ce 2f e9 20 5f 91 1d ce 91 47 51 8f ce b6 55 aa 9b 0b 98
Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
Application[3] = 1.3.6.1.4.1.311.10.3.3
Application[4] = 2.16.840.1.113730.4.1
CertContext[0][1]: dwInfoStatus=101 dwErrorStatus=1000040
Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
NotBefore: 23/05/2011 19:48
NotAfter: 20/05/2021 19:48
Subject: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
Serial: 0a418a
ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://www.CAcert.org/ca.crt
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://ocsp.CAcert.org/
--------------------------------
Issuance[0] = 1.3.6.1.4.1.18506
CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
NotBefore: 30/03/2003 14:29
NotAfter: 29/03/2033 14:29
Subject: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Serial: 00
13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 12
[0.0] https://www.cacert.org/revoke.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
b3 cf c2 7a ca 14 01 93 ea dc 46 c0 c0 6e b6 d1 b3 7f 39 b3
Full chain:
f3 71 fa 99 64 60 c4 01 75 62 d9 f8 94 15 bc 11 2f 1b c2 bd
Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
NotBefore: 03/01/2013 14:17
NotAfter: 03/01/2015 14:17
Subject: E=jason@thecurls.onmicrosoft.com, CN=Jason Curl
Serial: 011232
SubjectAltName: RFC822 Name=jason@thecurls.onmicrosoft.com
f9 3c a2 39 9b 27 0d 84 26 29 7f 9b 23 83 2c 68 56 93 d5 1e
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.