5

I'm attempting to import a certificate created by a CA I've set up in Windows using AD CS. I've done the following:

1) Created my own CA (MyCompany)
2) Enabled web services (mostly for ease of configuration)
3) Generated a certificate request on the Sonicwall itself
4) Used web services to sign the certificate
5) Imported the sign certificate into the Sonicwall ...this caused the certificate to show "No" for the Verified field.
6) Imported the CA's certificate.

This is where I get stuck. I attempted to import the CRL list, but get the following error: CRL Error - Verification failed using CA certificate. No further errors appear in the logs. Without the CRL list the certificate won't verify and it doesn't appear under the "Administration" page so I can select it for use via HTTPS.

Any ideas?

Edit: From Sonicwall when I attempt to use my HTTP published list:

07/02/2013 14:33:54.256 Alert   VPN PKI Cannot Validate Issuer Path         HTTPS        
19  07/02/2013 14:33:54.256 Alert   VPN PKI CRL validation failure for Root Certificate         MyCompanyCA      
20  07/02/2013 14:33:54.256 Alert   VPN PKI Failed to Process CRL from           http://crl.mydomain.com/Cert
Enroll/ CA: MyCompanyCA
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • 1
    Why not make a CRL available? You should have it anyway – MDMarra Jul 02 '13 at 16:56
  • Agreed. You need to add an HTTP CRL Distribution Point to your certs, in addition to the LDAP one. – Ryan Ries Jul 02 '13 at 17:02
  • @RyanRies I added one, but it's failing to process at this point. – Nathan C Jul 02 '13 at 18:04
  • 1
    @NathanC Did you do it *exactly* like this? http://blogs.technet.com/b/mspfe/archive/2013/04/24/adcs-manually-created-cdp-extensions-cause-crl-look-up-failures.aspx :) – Ryan Ries Jul 02 '13 at 18:17
  • @RyanRies Yes. Changed the path - still the same problem. Updating my question with new errors. – Nathan C Jul 02 '13 at 18:35
  • Bummer, I was hoping to hit it out of the park with that. :( – Ryan Ries Jul 02 '13 at 18:38
  • Are you using a root certificate or an intermediate to create the Sonicwall cert? If you're using an intermediate, can/did you try and import both the intermediate and the root cert to the Sonicwall? – Paul Kroon Jul 09 '13 at 02:14
  • When you captured that bit in your edit from the Sonicwall's log (the whole "PKI Failed to Process CRL from..." bit) did you compare that to the logs on the web server publishing the CRL to see if it actually attempted to download the CRL? – Evan Anderson Jul 10 '13 at 19:18
  • @PaulKroon I used the root cert. – Nathan C Jul 10 '13 at 21:19
  • @EvanAnderson Interestingly enough, no. It *did* hit the server a couple times when I was first trying to get it working, but after that the logs were silent. I used the certutil and it worked on my Windows machine, though. – Nathan C Jul 10 '13 at 21:20
  • @NathanC I know you mentioned you validated the CRL with certutil, but as an added check, can you copy the HTTP url listed and actually browse to it to make sure the .crl file gets downloaded? It might just be the log formatting, but it looks like the Sonicwall doesn't see an actual .crl file in the url. – Paul Kroon Jul 23 '13 at 11:52
  • @PaulKroon Yes, the CRL downloads. – Nathan C Jul 23 '13 at 12:09

2 Answers2

4

So, after coming back to this with a brand new CA, it appears there's actually a bug with SonicOS 5.8 that causes this issue. My CA certificate is SHA512 and SonicOS only supports SHA1. Unfortunately I can't upgrade to 5.9 yet (which resolves the issue). If this helps anyone else, awesome.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
0

Well, doing wild guesses, lets do this:

  • lets start with the stupid thing: are you sure you are importing the correct file?! :)

  • Are the DNS correct? Can the sonicwall resolve successful the crl.mydomain.com ?

  • Is time correct? make sure you have a ntp server configured in both sides, usually certificates management require correct time.

  • Does the crl url really downloads anything?

  • Can you see the windows CA logs, to confirm that the file is downloaded? or even better, load a sniffer (like wireshark) in the windows CA and see if you get any request, on what port you get the request and what you reply back. If you get nothing, check firewall, routing problems, acl , etc

If you get a request and reply successful with valid info, it's probably a sonicwall problem.

If all fails, open a service request to SonicWall, they should help you debug the problem

higuita
  • 1,093
  • 9
  • 13
  • Weirdly enough, no request is made to the CA. I can however ping the CA and I can use `certutil` to validate the CRL from my own local machine. Both are on the same subnet too. It's really odd. Wireshark will probably be my only chance in this case. – Nathan C Jul 15 '13 at 22:14