6

I have a chain of certificates: MYROOTCERT -> MYCHILDCERT. The MYCHILDCERT certificate has a CRL distribution point extension:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://pacem/mychildcert.crl

The problem is that I can't connect with this certificate and when I check it with certutil -verify command I'm getting the revocation server offline error:

C:\Users\Administrator>certutil -verify -urlfetch C:\Share\mycerts\MYCHILDCERT.c
er
Issuer:
    CN=MYROOTCERT
Subject:
    CN=MYCHILDCERT
Cert Serial Number: 0af7c4fb38ad0bd258fde6356117896519

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
  Issuer: CN=MYROOTCERT
  NotBefore: 1/1/2000 3:00 AM
  NotAfter: 1/1/2500 3:00 AM
  Subject: CN=MYCHILDCERT
  Serial: 0af7c4fb38ad0bd258fde6356117896519
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  OK "Base CRL" Time: 14
    [0.0] http://pacem/mychildcert.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
Missing Issuer: CN=MYROOTCERT
  Issuer: CN=MYROOTCERT
  NotBefore: 1/1/2000 3:00 AM
  NotAfter: 1/1/2500 3:00 AM
  Subject: CN=MYCHILDCERT
  Serial: 0af7c4fb38ad0bd258fde6356117896519
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
A certificate chain could not be built to a trusted root authority. 0x800b010a (
-2146762486)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    CN=MYROOTCERT
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.

I checked IIS logs and I see that the file is actually getting accessed during this check:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2017-06-22 16:50:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2017-06-22 16:50:16 fe80::3d38:f18e:f98:acf3%11 GET /mychildcert.crl - 80 - fe80::3d38:f18e:f98:acf3%11 Microsoft-CryptoAPI/6.1 200 0 0 84

When I enter the URL in browser it downloads file. Could it be that the CRL file itself is not valid? I checked the dates and they seem to be OK:

Is there anything else I need to do to make certificate revocation work?

username
  • 229
  • 1
  • 3
  • 17
  • Does intermediate CA certificate contain CDP extension with proper CRL location? – Crypt32 Jun 21 '17 at 18:41
  • @Crypt32 Yes, both child and intermediate certificates have the same CDP extension. – username Jun 21 '17 at 20:10
  • What do you mean "the same"? Both CDP point to the same file? – Crypt32 Jun 21 '17 at 20:11
  • @Crypt32 yes, the CDP definitions look the same, the URLs are identical. The point to the same file. – username Jun 21 '17 at 20:22
  • 1
    That's a problem. They should point to different files, each CRL must be signed by a respective authority. – Crypt32 Jun 21 '17 at 20:28
  • @Crypt32 I'm still having this problem even when I designate a separate CRL file for each authority. I made a simpler example with just one CA and one child cert. Am I missing any extensions in CRL? Or could it be that I didn't sign it correctly so it returns "server offline"?. – username Jun 22 '17 at 17:04
  • 3
    `Missing Issuer: CN=MYROOTCERT` -- certificate chaining engine cannot find root certificate. Here is your issue. – Crypt32 Jun 22 '17 at 17:14
  • 1
    @Crypt32 Oh man, I'm an idiot, thank you. – username Jun 22 '17 at 21:48

0 Answers0