CRL Revocation always failed

Hi All,

I try to configure the RADIUS server NPS, somehow the certificate authentication client always failed with reason:

Reason = The revocation function was unable to check revocation because the revocation server was offline.

then check the certificate client, certutil -f -urlfetch -verify client7.cer, result as follow:

Issuer:
    CN=ENTCA
    DC=intra
    DC=domain
    DC=co
    DC=sg
Subject:
    CN=Computer.intra.domain.co.sg
Cert Serial Number: 1c5b00de000000000041

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntCA, DC=intra, DC=domain, DC=co, DC=sg
  NotBefore: 4/6/2013 9:40 PM
  NotAfter: 7/5/2013 9:40 PM
  Subject: CN=client7.intra.domain.co.sg
  Serial: 1c5b00de000000000041
  SubjectAltName: DNS Name=client7.intra.domain.co.sg
  Template: Test Certificate Template
  ce e4 e7 c9 8b f5 b1 b2 cf 6d 53 a1 e1 cd 44 11 ec e6 f3 8f
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://webca/cert/EntCA.crt

  Verified "Certificate (0)" Time: 0
    [1.0] ldap:///CN=EntCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=intra,DC=domain,DC=co,DC=sg?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (01)" Time: 0
    [0.0] http://webca/cert/EntCA.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190190 (-2145844848)
    [0.0.0] http://webca/cert/%3%8%9.crl

  Failed "CDP" Time: 0
    Error retrieving URL: The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)
    [0.1.0] ldap://myLDAPserver/CN=%7%8,CN=%2,CN=CDP,CN=Public%20Key%20Services,CN=Services,%6%10

  Verified "Base CRL (01)" Time: 0
    [1.0] ldap:///CN=EntCA,CN=ENTCASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=intra,DC=domain,DC=co,DC=sg?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190190 (-2145844848)
    [1.0.0] http://webca/cert/%3%8%9.crl

  Failed "CDP" Time: 0
    Error retrieving URL: The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)
    [1.1.0] ldap://myLDAPserver/CN=%7%8,CN=%2,CN=CDP,CN=Public%20Key%20Services,CN=Services,%6%10

  ----------------  Base CRL CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190190 (-2145844848)
    http://webca/cert/%3%8%9.crl

  Failed "CDP" Time: 0
    Error retrieving URL: The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)
    ldap://myLDAPserver/CN=%7%8,CN=%2,CN=CDP,CN=Public%20Key%20Services,CN=Services,%6%10

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 01:
    Issuer: CN=ENTCA, DC=intra, DC=domain, DC=co, DC=sg
    69 6c 99 0c 15 ba 11 69 7d 32 72 6a 7a d9 52 7a 13 1d 03 9c
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication

CRL 2b:
    Issuer: CN=RootCA
    5f 45 99 28 cf 6b 07 32 31 b7 58 de 0e a3 8c 8b ac be 24 6b

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 12/2/2005 4:15 PM
  NotAfter: 12/2/2021 4:21 PM
  Subject: CN=RootCA
  Serial: 4de76da26f2ac5bf4e3b7ee613511a83
  bb 64 62 48 93 fe da 36 14 6d 44 fe 57 37 36 8d c8 bc d2 81
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Anyone call tell me what wrong with my configuration?

Other question,

1. how to change configuration base CRL CDP?

2. Why old LDAP certifcate CDP remain when urlfetch, whereas already delete?how to  delete old LDAP Certificate CDP?

Thanks.

Endrik

Endrik | blog: itendrik.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.