Hi everyone
ive followed this setup guide to create a 2-tier PKI environment in my labs: https://technet.microsoft.com/en-us/library/hh831348.aspx
For the overview (Computername, Role):
Domain: pki.local
S01: AD/DC/DNS (2012x64R2)
S02: offline RootCA (2012x64R2)
|_ S03: online Enterprise SubCA (2012x64R2)
WS01: Windows 7x64
Except the creation of an IIS (for CRL), i did all the steps as precise as possible (only changed servername).
I've duplicated the default smartcard-login-template, and changed the following settings:
- Compatibility Settings:
Certification Authority -> "Windows Server 2012R2"
Certificate Recipient -> "Windows 7 / Server 2008R2" - Request Handling -> "Prompt the user during enrollment"
- Cryptography:
Provider Category -> "Key Storage Provider"
CSP -> "Microsoft Smart Card key Storage Provider"
Request hash -> "SHA512"
Other necessary Templates which are active: "Domain Controller Authentication" and "Workstation Authentication", both have autoenrollment for the specific group (Domain Computers and Domain Controllers).
Well, so far so good, every node has its certificate (S01, S02, S03, WS01 and the [DomainUser]) and they seem "happy" so far (no event spotted so far).
But unfortunately I wasnt able to log in via smartcard on WS01.
The Error Message is:
"The system could not log you on. The revocation status of the domain controller certificate used for smart card authentication could not be determined."
This is what 'cerutitil -verify C:\CertName.cer' from my smartcard-certificate gave me:
Issuer:CN=pkiLocalSubCA
DC=pki
DC=local
Subject:
CN=vilu
Cert Serial Number: 1d00000004ce3d86ea41641832000000000004
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
NotBefore: 03.12.2015 10:49
NotAfter: 02.12.2016 10:49
Subject: CN=vilu
Serial: 1d00000004ce3d86ea41641832000000000004
SubjectAltName: Other Name:Principal Name=vilu@pki.local
Template: pkiLocalSmartCardLogonSHA512
a2 a7 cc 52 c4 39 d3 65 db 0f b8 28 5c 7c fa 3d 3f 20 fb 42
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Revocation Check Failed "Certificate (0)" Time: 0
[0.0] ldap:///CN=pkiLocalSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pki,DC=local?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (03)" Time: 0
[0.0] ldap:///CN=pkiLocalSubCA,CN=s03,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pki,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 03:
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
b8 5e 02 f4 31 f6 18 36 80 54 84 19 6e 30 5b 8b da 62 0b c5
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
NotBefore: 02.12.2015 15:04
NotAfter: 02.12.2030 15:14
Subject: CN=pkiLocalSubCA, DC=pki, DC=local
Serial: 2800000002843fad26b2b5e72b000000000002
Template: SubCA
6b 31 94 de 6a 4d 65 cc d1 80 f6 b8 90 d1 b8 81 e2 ed 6f d8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file:////s02/CertEnroll/s02_pkiLocalRootCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234)
ldap:///CN=pkiLocalRootCA,CN=s02,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file:////s02/CertEnroll/pkiLocalRootCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
NotBefore: 02.12.2015 13:39
NotAfter: 02.12.2045 13:49
Subject: CN=pkiLocalRootCA, DC=pki, DC=local
Serial: 1bb801f4dbdda5b54d6e99c06c399e7f
e0 a6 f6 a2 d9 ae a8 a9 0b 68 48 d2 51 fa 9d 1f e3 90 c8 99
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
30 e2 9d 8d f9 97 7d 14 6b 98 83 2a 4c 6e cd cf 73 a7 82 8e
Full chain:
55 dd 43 51 46 1e 4c 34 73 9f 8d 53 fc 6d dd ec 32 ec da 72
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
NotBefore: 03.12.2015 10:49
NotAfter: 02.12.2016 10:49
Subject: CN=vilu
Serial: 1d00000004ce3d86ea41641832000000000004
SubjectAltName: Other Name:Principal Name=vilu@pki.local
Template: pkiLocalSmartCardLogonSHA512
a2 a7 cc 52 c4 39 d3 65 db 0f b8 28 5c 7c fa 3d 3f 20 fb 42
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
And this is what 'certutil -scinfo' gave:
The Microsoft Smart Card Resource Manager is running.Current reader/card status:
Readers: 1
0: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--- Reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: CardOS V4.4
--- ATR:
3b d2 18 02 c1 0a 31 fe 58 c8 0d 51 ;.....1.X..Q
=======================================================
Analyzing card in reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--- Card: CardOS V4.4
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734 [Default Container]
No AT_SIGNATURE key for reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734
Provider = Microsoft Base Smart Card Crypto Provider
ProviderType = 1
Flags = 1
KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
NotBefore: 03.12.2015 11:35
NotAfter: 02.12.2016 11:35
Subject: CN=vilu
Serial: 1d000000076cb29753c5f48fb9000000000007
SubjectAltName: Other Name:Principal Name=vilu@pki.local
Template: pkiLocalSmartCardLogonSHA512
65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 03:
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
b8 5e 02 f4 31 f6 18 36 80 54 84 19 6e 30 5b 8b da 62 0b c5
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
NotBefore: 02.12.2015 15:04
NotAfter: 02.12.2030 15:14
Subject: CN=pkiLocalSubCA, DC=pki, DC=local
Serial: 2800000002843fad26b2b5e72b000000000002
Template: SubCA
6b 31 94 de 6a 4d 65 cc d1 80 f6 b8 90 d1 b8 81 e2 ed 6f d8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
NotBefore: 02.12.2015 13:39
NotAfter: 02.12.2045 13:49
Subject: CN=pkiLocalRootCA, DC=pki, DC=local
Serial: 1bb801f4dbdda5b54d6e99c06c399e7f
e0 a6 f6 a2 d9 ae a8 a9 0b 68 48 d2 51 fa 9d 1f e3 90 c8 99
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
b2 77 c9 09 2c 45 32 00 57 67 e9 b5 b9 2d f0 77 0d b0 2a 7b
Full chain:
8b 58 8f 0b e7 50 fc ae 01 07 95 5e 2a 63 4d 46 30 96 a0 34
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
NotBefore: 03.12.2015 11:35
NotAfter: 02.12.2016 11:35
Subject: CN=vilu
Serial: 1d000000076cb29753c5f48fb9000000000007
SubjectAltName: Other Name:Principal Name=vilu@pki.local
Template: pkiLocalSmartCardLogonSHA512
65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--- Card: CardOS V4.4
Provider = Microsoft Smart Card Key Storage Provider
Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734
Performing public key matching test...
Public key matching test succeeded
Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734
Provider = Microsoft Smart Card Key Storage Provider
ProviderType = 0
Flags = 1
KeySpec = 0
Private key verifies
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
NotBefore: 03.12.2015 11:35
NotAfter: 02.12.2016 11:35
Subject: CN=vilu
Serial: 1d000000076cb29753c5f48fb9000000000007
SubjectAltName: Other Name:Principal Name=vilu@pki.local
Template: pkiLocalSmartCardLogonSHA512
65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 03:
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
b8 5e 02 f4 31 f6 18 36 80 54 84 19 6e 30 5b 8b da 62 0b c5
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
NotBefore: 02.12.2015 15:04
NotAfter: 02.12.2030 15:14
Subject: CN=pkiLocalSubCA, DC=pki, DC=local
Serial: 2800000002843fad26b2b5e72b000000000002
Template: SubCA
6b 31 94 de 6a 4d 65 cc d1 80 f6 b8 90 d1 b8 81 e2 ed 6f d8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
NotBefore: 02.12.2015 13:39
NotAfter: 02.12.2045 13:49
Subject: CN=pkiLocalRootCA, DC=pki, DC=local
Serial: 1bb801f4dbdda5b54d6e99c06c399e7f
e0 a6 f6 a2 d9 ae a8 a9 0b 68 48 d2 51 fa 9d 1f e3 90 c8 99
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
b2 77 c9 09 2c 45 32 00 57 67 e9 b5 b9 2d f0 77 0d b0 2a 7b
Full chain:
8b 58 8f 0b e7 50 fc ae 01 07 95 5e 2a 63 4d 46 30 96 a0 34
Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
NotBefore: 03.12.2015 11:35
NotAfter: 02.12.2016 11:35
Subject: CN=vilu
Serial: 1d000000076cb29753c5f48fb9000000000007
SubjectAltName: Other Name:Principal Name=vilu@pki.local
Template: pkiLocalSmartCardLogonSHA512
65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Displayed cert for reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
But when i do an url-check, it seems fine... well, at least its there:
[pretend to have an image, im not allowed to publish an image on technet yet, but the URL retrieval tool status says: verified]
im pretty sure i did something wrong, but its disturbing being unable to find any solutions for this.
help, please? anyone?