OCSP PKIView error and certsrv-url unsucessful
-
16 April 2012 14:43
Hello Everyone,
i've seen this post lots of times but i still can't figure out what the heck is goin on with this ocsp configuration
basically i have my windows 2003 Domain test.com
1 standalone Root CA on windows 2008 R2
2 enterprise CAs on windows 2008 R2
on each of those CA servers i installed an OCSP array member that i configured with one Revocation configuration for each CA i have.
i used simple DNS round robin to access one or the other array member.
everything seems to go on smoothly until i endup with PKI view below
and the certutil -url below
can anyone help please ?
thanks
Hitch Bardawil
Semua Balasan
-
16 April 2012 17:07
Can you give more details about your OCSP configuration, signing certificates and revocation config?
/Hasain
-
17 April 2012 9:11
Hello,
thanks for helping,
i have 2 enterprise subordinate PKIs on which i installed the OCSP ROLE so that i have a array member on each pki server
i configured two Revocation configuration: one for each CA
the revocation configuration is pretty standard:
- Browse the CA in Active Directory
- automatically select a signing certificate
- use the default ocsp template in ad
- added the computer accounts to the ocsp template
i basically followed the technet tutorial to the letter
here is the certutil -verify - urlfetch result in case it might help
Issuer:
CN=AFD-PKI-Technique
DC=dev
DC=active
Subject:
CN=afd.dev.Active
Cert Serial Number: 1cd8b3e6000100000010
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 3 Minutes, 3 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 3 Minutes, 3 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=AFD-PKI-Technique, DC=dev, DC=active
NotBefore: 16/04/2012 14:57
NotAfter: 16/04/2014 14:57
Subject: CN=afd.dev.Active
Serial: 1cd8b3e6000100000010
Template: AFD Web Server
c7 40 0b d2 b7 50 00 d3 00 55 43 3a d8 b1 bb 75 ce a6 39 52
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] ldap:///CN=AFD-PKI-Technique,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (1)" Time: 0
[0.1] ldap:///CN=AFD-PKI-Technique,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (0a)" Time: 0
[0.0] ldap:///CN=AFD-PKI-Technique(1),CN=FRPARDEV168,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?certificateRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Unsuccessful "OCSP" Time: 0
[0.0] http://ocsp.dev.active/ocsp
--------------------------------
CRL 0a:
Issuer: CN=AFD-PKI-Technique, DC=dev, DC=active
f4 ec d9 5e 60 36 4b 19 67 02 b4 66 36 e7 ba 5d 45 8f e7 19
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=AFD-ROOT-CA, DC=dev, DC=active
NotBefore: 13/04/2012 17:45
NotAfter: 13/04/2032 14:50
Subject: CN=AFD-PKI-Technique, DC=dev, DC=active
Serial: 18565f0c00000000000a
Template: SubCA
39 9e dd 92 97 e7 30 32 18 33 11 1b d7 23 73 00 94 76 04 60
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] ldap:///CN=AFD-ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (02)" Time: 0
[0.0] ldap:///CN=AFD-ROOT-CA,CN=FRPARDEV167,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?certificateRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://ocsp.dev.active/ocsp
--------------------------------
CRL 02:
Issuer: CN=AFD-ROOT-CA, DC=dev, DC=active
d2 08 3a ac b5 57 b5 b3 eb 2d 91 83 f7 ca 24 fc 92 58 ea be
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=AFD-ROOT-CA, DC=dev, DC=active
NotBefore: 13/04/2012 14:40
NotAfter: 13/04/2032 14:50
Subject: CN=AFD-ROOT-CA, DC=dev, DC=active
Serial: 61da541b9714d3bb4d4dcc18ea7690af
Template: CA
26 6e b3 04 3e 72 ad 18 82 77 0c a0 29 af 6c 7e 84 16 ef 4a
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
51 1b 7d ba e2 57 c5 3c 9c a5 80 17 50 fa 6c 1d 47 6a bb fd
Full chain:
c2 50 c6 59 d3 04 2d 76 05 0e c8 f1 ba 67 ec 5b dc d3 56 b4
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
thanks
Hitch Bardawil
- Diedit oleh HitchB52 17 April 2012 9:12
-
17 April 2012 22:51Moderator
Ensure that you did not make the mistake of selecting Include in the AIA of Issued Certificates:
-
19 April 2012 8:42
i made sure the checkbox was not selected during my configuration,
but i still cannot solve this problem ...
i turned on the CAPI logs and found those errors :
CAPI2 event ID 11 and 41 with the below details
RevocationResult The revocation function was unable to check revocation because the revocation server was offline.
hope this help you figure out the damned problem :s
Hitch Bardawil
-
19 April 2012 9:48
hey guyz,
just wanted to add somthing i just noticed,
as i old you before my ocsp scenario involves two PKI servers :
PKI 1: is for delivering technical certificates
PKI 2: Is for user certificates
I configured each of those servers as an OCSP Array.
when i add the revocation configuration for my PKI 1 , everything is fine
however when i add the revocation conviguration of the second PKI this is when everything stop working...
Hitch Bardawil
-
19 April 2012 22:38Moderator
I spoke with the product team PM and there are a couple of outstanding questions here:
1. What do you mean by "stop working"?
2. Are you saying that when you add the URL for OCSP on the second issuing CA that is when it stops showing up appropriately in PKI View?
-
20 April 2012 8:55
hello Kurt,
thanks for your time,
i kept on trying, and finally by just deleting both revocation rules and recreating them seems that the pkiview error disappears
very weird since i have to do it a couple of times before it worked out...
thanks you
Hitch Bardawil
- Disarankan sebagai Jawaban oleh Kurt L Hudson MSFTMicrosoft Employee, Moderator 20 April 2012 16:05
- Ditandai sebagai Jawaban oleh HitchB52 25 April 2012 11:36
- Tanda sebagai Jawaban dihapus oleh HitchB52 02 Mei 2012 9:49
- Saran Jawaban dibatalkan oleh HitchB52 03 Mei 2012 9:59
-
20 April 2012 16:14Moderator
Glad you got it working - strange issue. I have seen PKIView show that revocation wasn't working before, but everything was actually fine. I wouldn't have expected that you would get the other errors though. Anyways, that is good. I proposed your post as the answer, since it was essentially a try again fix.
I did want to mention that the way you are setting this revocation up is a bit unexpected. Typically, people who are using OCSP have a large number of expected revocations. Since the CAs are used for issuing certificates, people typically separate the revocation role from the issuance role. Meaning that you would use a separate web server (or servers in your case) to run OCSP. This keeps the revocation lookup traffic off of the CA. This is also the same for CDP hosted on a Web server. As a matter of fact, you might choose to use the Web server hosting the CDP as the same one running OCSP.
My guess is that you are just doing this in a lab for testing purposes right now. I am just mentioning this as as design item for a production implementation.
Anyways, glad you got it working!
-
20 April 2012 17:53
Hi Kurt,
Just wanted to pipe in here. I agree with everything you have stated except " you might choose to use the Web server hosting the CDP as the same one running OCSP"
This would not be one of my recommendations. Remember that the default behavior for Windows Vista and later clients is to first use OCSP for revocation checking, and if not available, fall back to CDP/AIA revocation checking. If you put the OCSP responder on the same servers hosting the CDP/AIA, you are setting up a single point of failure. If the server fails, then you cannot access both OCSP and CDP/AIA.
Brian
-
20 April 2012 18:14ModeratorGood point! Thanks for adding that bit of information for the design perspective.
-
20 April 2012 19:20
Thanks Kurt. I hope I did not sound correcting, just wanted to add to the discussion ;-)
Brian
-
25 April 2012 11:36
thanks for the great advice guyz !
Hitch Bardawil
-
02 Mei 2012 9:50
Hello Guys,
sorry to bother you with the same issue again but i left the OCSP for a Few days and when i came back the PKI View Error is back :s
any idea on the reason ???
thanks !
Hitch Bardawil
-
03 Mei 2012 14:18no ideas ? anyone ? :s
Hitch Bardawil
.png)
