A question about executing Certification Services Monitor script...
- Hi all;
When I execute the Certification Services Monitor script on my Windows Server 2008 box, the following output appears:
C:\>cscript camonitor.vbs /CAAlive /CACertOK /CACRLOK /KRAOK
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
11/27/2009 11:44:21 PM certutil -ping:OK
11/27/2009 11:44:21 PM certutil -pingadmin:OK
11/27/2009 11:44:21 PM checking validity of CN=contoso-SERVER01-CA, DC=contoso, DC=com Serial Number:6306185397716BB74FF8060AE6B47895
11/27/2009 11:44:21 PM CA Cert OK
11/27/2009 11:44:22 PM Retrieve environment variable 'COMPUTERNAME':OK
11/27/2009 11:44:22 PM eventcreate /T ERROR /SO "CA Operations" /ID 100 /D "Error: failed to read at least one CDP from certificate:CN=SERVER01.contoso.com" /L Application:OK
11/27/2009 11:44:22 PM failed to read at least one CDP from certificate:CN=SERVER01.contoso.com
11/27/2009 11:44:22 PM No KRAs
C:\>
Also the output says that it "Failed To Read At Leats One CDP From Certificate", the PKIView.msc utility does not show any error messages. Please look at the following figure:
http://cid-3a822dbb941c4298.skydrive.live.com/self.aspx/.Public/1.GIF
Any idea?
Thanks
Antworten
Reza
Either you have problems with your CRL publication scheduled tasks, your publication methods, or you are using a virtual machine and had it suspended.
All of your CRLs are expired (based and delta)
---------------- Certificate CDP ----------------
Expired "Base CRL (20)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?obje
ctClass=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[0.0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectCl
____=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[0.0.1] http://server01.contoso.com/CertEnroll/CERTServer+.crl
Expired "Base CRL (20)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/CERTServer.crl
Expired "Delta CRL (20)" Time: 0
[1.0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectCl
____=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[1.0.1] http://server01.contoso.com/CertEnroll/CERTServer+.crl
---------------- Base CRL CDP ----------------
Expired "Delta CRL (20)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectClas
s=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/CERTServer+.crl
Run certutil -crl, make sure that it is copied to all locations (looks like the defaults) and try the certutil -verify -urlfetch again
You should see that the revocation check passes.
Brian- Als Antwort markiertJoson ZhouMSFT, ModeratorDonnerstag, 3. Dezember 2009 02:57
Alle Antworten
- Check the certificate server01.contoso.com referenced in the output. According to the error, you do not have any CDP extensions in this certificate.
Now, in addition:
- make sure that you are running the script at an elevated command prompt.
- Make sure that if you use a proxy server, that the machine is configured to use the proxy server
If you can post the output of certutil -verify -urlfetch against the server01.contoso.com certificate, it would help diagnose the problem
Brian - Thanks for your reply;
This is the output:
C:\>certutil -verify -urlfetch server01.cer
Issuer:
CN=CERTServer
DC=contoso
DC=com
Subject:
CN=SERVER01.contoso.com
Cert Serial Number: 13b2f7b4000000000003
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 143 Days, 22 Hours, 9 Minutes, 35 Second
s
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 143 Days, 22 Hours, 9 Minutes, 35 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=CERTServer, DC=contoso, DC=com
NotBefore: 4/1/2009 8:05 PM
NotAfter: 4/1/2010 8:05 PM
Subject: CN=SERVER01.contoso.com
Serial: 13b2f7b4000000000003
SubjectAltName: Other Name:DS Object Guid=04 10 da f5 66 2e cf 7c d2 44 b7 47
e0 38 76 21 6b 5e, DNS Name=SERVER01.contoso.com
Template: DomainController
d4 83 a4 a9 8c fb 02 18 b9 6b 24 07 0b b8 80 1f b7 8e 1d c5
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN
=Configuration,DC=contoso,DC=com?cACertificate?base?objectClass=certificationAut
hority
Verified "Certificate (1)" Time: 0
[0.1] ldap:///CN=CERTServer,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN
=Configuration,DC=contoso,DC=com?cACertificate?base?objectClass=certificationAut
hority
Verified "Certificate (1)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/SERVER01.contoso.com_CERTServer
.crt
---------------- Certificate CDP ----------------
Expired "Base CRL (20)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?obje
ctClass=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[0.0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectCl
____=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[0.0.1] http://server01.contoso.com/CertEnroll/CERTServer+.crl
Expired "Base CRL (20)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/CERTServer.crl
Expired "Delta CRL (20)" Time: 0
[1.0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectCl
____=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[1.0.1] http://server01.contoso.com/CertEnroll/CERTServer+.crl
---------------- Base CRL CDP ----------------
Expired "Delta CRL (20)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectClas
s=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/CERTServer+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 20:
Issuer: CN=CERTServer, DC=contoso, DC=com
ef 9d 2a 62 93 37 fc 4b 37 4a 37 57 93 11 81 f8 40 b9 92 4a
Delta CRL 20:
Issuer: CN=CERTServer, DC=contoso, DC=com
d6 71 1a 4f 06 03 ea 8e 51 5a 81 3f 6c 43 90 07 33 02 ca 9f
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=CERTServer, DC=contoso, DC=com
NotBefore: 4/1/2009 6:05 AM
NotAfter: 4/1/2029 6:15 AM
Subject: CN=CERTServer, DC=contoso, DC=com
Serial: 69c2e35445470b8040472e88cf286fa4
Template: CA
e6 ed eb fe a3 4c 82 ab ba 8a 8b 86 63 82 5d 64 fe 5f 7d 9b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
1f 03 1c bf ed 46 64 0b 21 93 71 d0 87 84 1e 4a 8e 87 1d c4
Full chain:
d9 7c 46 2d 2b 04 be 8c 15 ae 86 1e 87 cb e2 bc bc 01 75 e9
Issuer: CN=CERTServer, DC=contoso, DC=com
NotBefore: 4/1/2009 8:05 PM
NotAfter: 4/1/2010 8:05 PM
Subject: CN=SERVER01.contoso.com
Serial: 13b2f7b4000000000003
SubjectAltName: Other Name:DS Object Guid=04 10 da f5 66 2e cf 7c d2 44 b7 47
e0 38 76 21 6b 5e, DNS Name=SERVER01.contoso.com
Template: DomainController
d4 83 a4 a9 8c fb 02 18 b9 6b 24 07 0b b8 80 1f b7 8e 1d c5
The revocation function was unable to check revocation because the revocation se
rver was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.
CertUtil: -verify command completed successfully.
C:\>
Thanks again.
-Reza Reza
Either you have problems with your CRL publication scheduled tasks, your publication methods, or you are using a virtual machine and had it suspended.
All of your CRLs are expired (based and delta)
---------------- Certificate CDP ----------------
Expired "Base CRL (20)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?obje
ctClass=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[0.0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectCl
____=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[0.0.1] http://server01.contoso.com/CertEnroll/CERTServer+.crl
Expired "Base CRL (20)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/CERTServer.crl
Expired "Delta CRL (20)" Time: 0
[1.0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectCl
____=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[1.0.1] http://server01.contoso.com/CertEnroll/CERTServer+.crl
---------------- Base CRL CDP ----------------
Expired "Delta CRL (20)" Time: 0
[0.0] ldap:///CN=CERTServer,CN=SERVER01,CN=CDP,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=contoso,DC=com?deltaRevocationList?base?objectClas
s=cRLDistributionPoint
Expired "Delta CRL (20)" Time: 0
[1.0] http://server01.contoso.com/CertEnroll/CERTServer+.crl
Run certutil -crl, make sure that it is copied to all locations (looks like the defaults) and try the certutil -verify -urlfetch again
You should see that the revocation check passes.
Brian- Als Antwort markiertJoson ZhouMSFT, ModeratorDonnerstag, 3. Dezember 2009 02:57
