TLS certificate validation - RevocationOffline

Stellen Sie eine Frage

Samstag, 16. Juni 2012 07:20

0

Hi,

I am setting up an Edge Transport server without using EdgeSync. I have successfully enabled TLS certificates on both internal Hub Transport Servers, and also on the Edge Transport server, using my Internal PKI. For the edge server, I have imported the Trusted Root CA certificate chain from my PKI.

I can send email externally OK. However, when I receive email from the internet and the Edge relays to the Hub, I receive an error that the Edge transport cannot validate the certificate of the Hub, specifically the error is "RevocationOffline"

I have checked the certificates on all servers, and they have LDAP, HTTP and File "CRL Distribution Points" defined.

On the CA, I note that for the HTTP CDP, the option to "Publish CRLs to this location" is greyed out. However, the options for "Include in CRLs" and "Include in the CDP extension of issued certificates" is ticked. For file, everything except the last and second option are ticked. For LDAP, all but the last option is ticked.

I have allowed confirmed access to the HTTP location and also the file location from the Edge server. However, I still recieve the error "RevocationOffline".

How come the option to Publish to HTTP CDP is greyed out, this is my next thought of where the problem lies.

Does anyone have any other ideas or solutions?
- Antworten
- Zitieren

Alle Antworten

Samstag, 16. Juni 2012 07:29

0
I have checked in pkiview.msc that both the CRL and Delta CRL CDP are OK.

I can browse to both HTTP locations from the Edge Transport server. However only the CRL location is located in the certificate, I assume this is used to find the delta HTTP URL.

when I download the CRL or Deltra CRL file, and look at the "Published CRL Locations" field I only see the LDAP URL, is this normal?

Any ideas, why the Edge server still cannot check the revocation status?
- Bearbeitet Merlus Samstag, 16. Juni 2012 07:33 clarity
- Antworten
- Zitieren
Samstag, 16. Juni 2012 22:55

0

When I export the cert of the Hub, copy it to the Edge and run

certutil -verify -urlfetch cert.cer

It says Failed "CDP" which is the LDAP path

It then says Verified "Base CRL (02)" which is the HTTP path
- Antworten
- Zitieren
Sonntag, 17. Juni 2012 08:25

0

In regards to publishing CRL to HTTP CDP, ADCS does not support publishing to HTTP CDP and you need to make sure the CRL files are copied to the designated web server/site.

The "Published CRL Location" path is not used during the validation and for delta CRL the "Freshest CRL" path is used to locate and download the delta. Make sure at least one CDP URL is reachable from the edge server and that the freshest CRL files are automatically published/copied to that location.

Are you using any HTTP proxy to access web resources when logged in as a user?

/Hasain
- Antworten
- Zitieren
Sonntag, 17. Juni 2012 09:04

0

Thanks for the reply.

HTTP URL is accessible from Edge server. No proxy is being used, the Edge server is in DMZ and HTTP traffic is routed to the internal CRL.

Below is output of running certutil -verify -urlfetch on the Edge server - As you can see this command says it successfully verifies. All that I can think is that it is failing on the LDAP path's and for some reason is not trying the HTTP URLs

Are you able to see anything else wrong with the output?
C:\Users\Administrator>certutil -verify -urlfetch c:\exchange.cer
Issuer:
CN=SUBCA
DC=company
DC=net
DC=au
Subject:
CN=mail.company.net.au
OU=IT
O=company
L=Brisbane
S=QLD
C=AU
Cert Serial Number: 61f95c1e000000000008

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 8 Minutes, 18 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 8 Minutes, 18 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SUBCA, DC=company, DC=net, DC=au
NotBefore: 17/06/2012 5:38 PM
NotAfter: 17/06/2014 5:38 PM
Subject: CN=mail.company.net.au, OU=IT, O=company, L=Brisbane, S=QLD, C=AU
Serial: 61f95c1e000000000008
SubjectAltName: DNS Name=mail.company.net.au, DNS Name=autodiscover.company.net.
au, DNS Name=servername1.company.net.au, DNS Name=servername2.company.net.au
Template: WebServer
7b 68 57 a7 97 21 49 de a6 11 ff 7d 80 1a 37 2e b8 8d fa d0
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=SUBCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configurat
ion,DC=company,DC=net,DC=au?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (0)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/servername.company.net.au_SUBCA.
crt

---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=SUBCA,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=company,DC=net,DC=au?certificateRevocationList?base?objectClas
s=cRLDistributionPoint

Verified "Base CRL (03)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/SUBCA.crl

Verified "Delta CRL (03)" Time: 0
[1.0.0] http://servername.company.net.au/CertEnroll/SUBCA+.crl

---------------- Base CRL CDP ----------------
OK "Delta CRL (03)" Time: 0
[0.0] http://servername.company.net.au/CertEnroll/SUBCA+.crl

---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 03:
Issuer: CN=SUBCA, DC=company, DC=net, DC=au
f2 00 a7 e8 f7 89 3c fa ad 47 42 1e 15 d9 8c a8 4d 87 29 40
Delta CRL 03:
Issuer: CN=SUBCA, DC=company, DC=net, DC=au
96 dc 5b 4b e3 f6 c5 3a 0e 46 96 2e 15 1d c9 e0 d6 4b 86 b9
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=company-ROOTCA
NotBefore: 17/06/2012 1:19 PM
NotAfter: 17/06/2022 1:29 PM
Subject: CN=SUBCA, DC=company, DC=net, DC=au
Serial: 122c101c000000000003
Template: SubCA
36 36 47 1f da 7e c4 bc 2e 51 fd 06 27 c7 38 93 49 b4 5c 31
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=company-ROOTCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Co
nfiguration,DC=company,DC=net,DC=au?cACertificate?base?objectClass=certificationA
uthority

Verified "Certificate (0)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/ROOTCA_company-ROOTCA.crt

---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longer
available. 0x80070037 (WIN32: 55)
ldap:///CN=company-ROOTCA,CN=ROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Serv
ices,CN=Configuration,DC=company,DC=net,DC=au?certificateRevocationList?base?obje
ctClass=cRLDistributionPoint

Verified "Base CRL (05)" Time: 0
[1.0] http://servername.company.net.au/CertEnroll/company-ROOTCA.crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 05:
Issuer: CN=company-ROOTCA
60 49 94 04 05 fe 8d bd 7b 5a dc 91 28 82 f0 87 20 f4 16 2f

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=company-ROOTCA
NotBefore: 29/12/2011 10:52 PM
NotAfter: 29/12/2031 11:02 PM
Subject: CN=company-ROOTCA
Serial: 494184a83f01338441f6f4e4af188328
6f 7f df 5c 97 05 35 46 4a d1 c5 1e a0 a7 08 d7 23 3f 13 0b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------

Exclude leaf cert:
05 80 ff 77 17 b0 e6 07 75 77 1e ec fe 86 03 37 69 ce cb bc
Full chain:
7a e3 77 48 e8 66 f4 03 2d a6 ee b0 26 0c 25 59 de 04 1f 8d
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
- Antworten
- Zitieren
Dienstag, 19. Juni 2012 10:14

0

Any ideas?
- Antworten
- Zitieren
Mittwoch, 27. Juni 2012 02:30

Moderator

0

Hello,

Thank you for your post.

This is a quick note to let you know that we are performing research on this issue.

Best Regards

Elytis Cheng
Elytis Cheng

TechNet Community Support
- Antworten
- Zitieren
Donnerstag, 28. Juni 2012 15:39

0
Hi,

Have you checked the permission on the http CRL file? When running the certutil -urlfetch command, you provided your user credentail to check the revocation, but in the normal situation it should check the computer's permission for the CRL file. Hope this helps.

Regards,

Denny

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Als Antwort vorgeschlagen Denny Zhou - MSFT Dienstag, 10. Juli 2012 08:49
- Antworten
- Zitieren
Freitag, 13. Juli 2012 17:00

0

Hi,

Is there any update on our issue?

Regards,

Denny
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Antworten
- Zitieren
Sonntag, 29. Juli 2012 08:41

0
How do I grant the edge computer account access to the CRL if it is not in the domain? Just use Everyone read?

I got around the issue temporarily using self signed certificates. This was merely a test, I guess in the real world if I wasn't using Edge Sync I would purchase real certificates, but I still would have expected this to work. If I get some time, I will try again.
- Bearbeitet Merlus Sonntag, 29. Juli 2012 08:46 ...
- Antworten
- Zitieren
Mittwoch, 1. August 2012 13:10

0

Hi,

Do you mean the web server hosting the CDP location or the edge server is not in the domain?

Regards,

Denny
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Antworten
- Zitieren
Montag, 20. August 2012 22:45

0

Yes, the Edge server is not supposed to be a member of the domain. Which is why you would usually use EdgeSync, I am testing setting up the Edge server without Edgesync.
- Antworten
- Zitieren

TLS certificate validation - RevocationOffline

Alle Antworten

Produkte

Ressourcen

Lösungen

Updates

Testversionen

Verwandte Websites

Training

Zertifizierungen

Weitere Ressourcen

Für Produkte

Weitere Supportlinks