none
The signature of the certificate can not be verified. Win 2008 CA

Answers

All replies

  • Used PKIVIEW.msc on a windows 2003 server, everything was okay. just Delta CRLs were showing as expiring.


    Manoj
    Wednesday, September 14, 2011 3:18 PM
  • How did you issue and install the certificate? How does the certificate behave when looking at it on the CA, if you simply verify the cert and dump its content using certutil on the CA server?

    /Hasain

     

    Wednesday, September 14, 2011 4:54 PM
  • this setting causes this issue: Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1
    you must disable alternate signature algorithms and re-issue end certificate.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Proposed as answer by Hasain AlshakartiMVP Wednesday, September 14, 2011 5:57 PM
    • Marked as answer by ManojVer Wednesday, September 14, 2011 6:41 PM
    Wednesday, September 14, 2011 5:53 PM
  • Issued the certificate via Web (http://server/CertSrv). Saved that in pb7 and installed on the server via certificate mmc. Certificate is looking good on the CA server.

    • Output of CERTUTIL - VERIFY at Issuing CA
    • ............................................
    • Issuer:
          CN=DOMAIN Issuing CA
          DC=CHILD
          DC=DOMAIN
          DC=ad
      Subject:
          E=EMAILID@na.DOMAIN.com
          CN=SERVERVPN002.CHILD.DOMAIN.ad
          OU=SALES
          O=DOMAIN Technologies
          L=Milton
          S=GA
          C=US
      Cert Serial Number: 142661aa000000000004

      dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
      dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
      ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
      HCCE_LOCAL_MACHINE
      CERT_CHAIN_POLICY_BASE
      -------- CERT_CHAIN_CONTEXT --------
      ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ChainContext.dwRevocationFreshnessTime: 5 Days, 1 Hours, 9 Minutes, 20 Seconds

      SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      SimpleChain.dwRevocationFreshnessTime: 5 Days, 1 Hours, 9 Minutes, 20 Seconds

      CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
        Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
        NotBefore: 9/9/2011 2:26 PM
        NotAfter: 9/8/2013 2:26 PM
        Subject: E=EMAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US
        Serial: 142661aa000000000004
        Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548
        2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41
        Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
        Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
          CRL 6:
          Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
          b7 47 1c f9 eb ee e0 4d 5d cb 75 04 e8 92 51 33 15 2a b8 29
          Delta CRL 10:
          Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
          f4 aa 42 4a 05 1d 3e 35 c5 9f 49 0b 77 c9 19 ea d7 99 7f e7
        Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
        Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

      CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
        Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
        NotBefore: 9/9/2011 1:20 PM
        NotAfter: 9/9/2021 1:30 PM
        Subject: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad
        Serial: 13ea9a52000000000002
        Template: SubCA
        a5 3f f1 4b 80 f9 b1 c1 e1 f8 02 6b c7 de 08 e3 f0 c6 57 06
        Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
        Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
          CRL 5:
          Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
          d3 c4 34 40 e9 e7 ac 92 41 73 df e7 90 4e f3 85 59 5f 01 5a
        Issuance[0] = 1.3.6.1.4.1.311.21.8.2.840.113556.1.8000.1.402

      CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
        Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
        NotBefore: 9/8/2011 7:27 PM
        NotAfter: 9/8/2031 7:37 PM
        Subject: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD
        Serial: 5cd703e9a488d8aa463b9999976fd21a
        ea c2 7f 95 36 ea cb dd c8 b1 f3 a6 c2 68 ac b7 16 15 11 7b
        Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
        Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
        Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

      Exclude leaf cert:
        af e6 1e a5 a3 11 f0 d0 56 9f 10 6f f6 86 87 0a 69 f7 fc 77
      Full chain:
        c8 f2 a7 80 de f7 1f 3e 52 9e f9 57 17 f7 f5 2a cb 25 dd 1a
      ------------------------------------
      Verified Issuance Policies: None
      Verified Application Policies:
          1.3.6.1.5.5.7.3.1 Server Authentication
          1.3.6.1.5.5.7.3.2 Client Authentication
      Leaf certificate revocation check passed
      CertUtil: -verify command completed successfully.
    • ......................................................................................................
    • Output of CertUtil -dump at Issuing CA
    • ................................................................................ 
    • X509 Certificate:
      Version: 3
      Serial Number: 142661aa000000000004
      Signature Algorithm:
          Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
          Algorithm Parameters:
          30 00
      Issuer:
          CN=DOMAIN Issuing CA
          DC=CHILD
          DC=DOMAIN
          DC=ad

      NotBefore: 9/9/2011 2:26 PM
      NotAfter: 9/8/2013 2:26 PM

      Subject:
          E=EMAILID@na.DOMAIN.com
          CN=SERVERVPN002.CHILD.DOMAIN.ad
          OU=SALES
          O=DOMAIN Technologies
          L=Milton
          S=GA
          C=US

      Public Key Algorithm:
          Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
          Algorithm Parameters:
          05 00
      Public Key Length: 2048 bits
      Public Key: UnusedBits = 0
          0000  30 82 01 0a 02 82 01 01  00 c1 5e 03 a0 62 ed db
          0010  e1 24 81 06 d6 8b 89 32  e4 5b 01 c4 a0 9f bd ec
          0020  24 67 e7 74 ee 7a dd 3a  1d 3b 8b 7b 00 44 21 a3
          0030  83 78 67 75 47 c0 3d 61  ae 72 e0 ec 8f f1 22 72
          0040  9e d9 95 5b 61 ce 0a a7  93 24 f5 f3 42 05 36 86
          0050  25 d1 4f 36 da bc 21 c1  fe 13 d1 c5 34 d7 2e 18
          0060  60 a3 77 92 95 be ac ab  47 52 b0 e7 42 a6 f2 6e
          0070  d9 75 23 26 57 89 c7 24  16 29 3b 08 51 a7 ba ae
          0080  bb 9b 9c 12 82 12 bc 8d  1d fc 5c 26 d9 e1 df 5d
          0090  ac ef d2 7a f1 d9 b8 35  87 b5 e8 53 41 56 61 82
          00a0  4f 1b 65 2f cd 15 df 40  c9 42 7c 78 61 da 45 d2
          00b0  52 7c 18 c9 d9 6f 1f ed  c5 46 b5 26 7b 7e 9f a7
          00c0  4c 9e 07 fa 85 7f 4c e4  44 4b 8c 70 d1 b8 66 47
          00d0  c7 d5 96 e2 16 85 98 0b  5d c4 cd 44 85 11 00 c5
          00e0  40 ea 93 c1 dc b4 60 a7  73 8d 49 78 74 3b 8a fe
          00f0  2b 26 99 16 96 1a d5 d2  58 8a 90 68 86 df ea 34
          0100  cf 86 5c 09 42 44 2f bb  e3 02 03 01 00 01
      Certificate Extensions: 8
          2.5.29.15: Flags = 1(Critical), Length = 4
          Key Usage
              Digital Signature, Key Encipherment (a0)

          2.5.29.14: Flags = 0, Length = 16
          Subject Key Identifier
              de 22 a0 21 8d 83 a5 ca f7 3e fc 66 ad 6f b3 0a 11 89 ac 1c

          1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2e
          Certificate Template Information
              Template=1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548
              Major Version Number=100
              Minor Version Number=4

          2.5.29.35: Flags = 0, Length = 18
          Authority Key Identifier
              KeyID=63 22 90 af 78 31 a0 ff 15 d5 a4 db 67 52 00 b1 53 43 81 4c

          2.5.29.31: Flags = 0, Length = 158
          CRL Distribution Points
              [1]CRL Distribution Point
                   Distribution Point Name:
                        Full Name:
                             URL=ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint
                             URL=http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl
                             URL=http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl

          1.3.6.1.5.5.7.1.1: Flags = 0, Length = 190
          Authority Information Access
              [1]Authority Info Access
                   Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                   Alternative Name:
                        URL=ldap:///CN=DOMAIN%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?cACertificate?base?objectClass=certificationAuthority
              [2]Authority Info Access
                   Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                   Alternative Name:
                        URL=http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt
              [3]Authority Info Access
                   Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                   Alternative Name:
                        URL=http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt

          2.5.29.37: Flags = 0, Length = 16
          Enhanced Key Usage
              Server Authentication (1.3.6.1.5.5.7.3.1)
              Client Authentication (1.3.6.1.5.5.7.3.2)

          1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1a
          Application Policies
              [1]Application Certificate Policy:
                   Policy Identifier=Server Authentication
              [2]Application Certificate Policy:
                   Policy Identifier=Client Authentication

      Signature Algorithm:
          Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
          Algorithm Parameters:
          30 00
      Signature: UnusedBits=0
          0000  1f 12 2c 7a ec 3b d4 79  1a 80 2f 30 80 2d b4 90
          0010  ba 80 35 cb de 94 91 db  21 9b 81 4a 37 e7 75 20
          0020  58 12 57 a5 b4 1d a6 0e  ed 20 44 d2 de 93 33 14
          0030  d0 6f d7 c1 bb c0 a3 59  ef fc 3f ac 14 7e fd 30
          0040  3e bd 94 ea 3c a9 3e a1  a7 12 1c 0b b4 5b 89 ce
          0050  68 53 0b bc f2 6e 86 b6  21 77 d4 4a ad 26 48 46
          0060  45 f7 0b d7 09 b4 c7 88  40 fd 18 83 66 0c 3c a9
          0070  56 ee 33 38 ae 17 c5 38  c8 f3 fb f8 97 02 fe 53
          0080  84 7f 2e 69 87 d5 16 d7  a5 fa ec e7 dc 3f 77 d6
          0090  23 d7 07 2b ae a2 54 9b  c6 14 c2 28 ff 7b 21 11
          00a0  12 20 5c c5 96 90 d0 64  91 8b af 2c 6f d6 bb 79
          00b0  96 89 a3 90 b1 2b 66 d6  c8 6f 00 6d 1a 7a c7 80
          00c0  a0 08 8d 94 88 df cc 60  94 96 00 6d ab 67 e3 66
          00d0  72 dd ae d5 25 34 7c 42  06 18 20 36 c4 bb d2 98
          00e0  b1 a5 fd 9e a1 f1 ad 7f  a2 b9 14 a4 ab 8e fe 26
          00f0  b4 25 3b 57 27 f2 31 31  5e d7 75 42 50 0b b7 64
      Non-root Certificate
      Key Id Hash(rfc-sha1): 03 ed 0c 33 76 78 a8 68 3a a5 71 ce 63 c8 50 fc 27 dc c5 96
      Key Id Hash(sha1): de 22 a0 21 8d 83 a5 ca f7 3e fc 66 ad 6f b3 0a 11 89 ac 1c
      Cert Hash(md5): 82 77 14 5f ff 9d d4 cf 2b ad c3 da 86 e5 fe 38
      Cert Hash(sha1): 2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41
      CertUtil: -dump command completed successfully.

    Another observation: My Radius server is published in AD and that has ENROLL and READ permission on the template. When I try to request certificate via MMC > Certificates (my computer) >> Personal >> Request new certificate, I get error:

    The wizard cannot be started because of one or more of the following conditions:
    - There are no trusted certification authorities (CAs) available.
    - You do not have the permissions to request certificates from the available CAs.
    - The available CAs issue certificates for which you do not have permissions.

    Though I have checked http://support.microsoft.com/kb/927066 and will try the solution, just wanted to mention if that might be related.



    Manoj
    Wednesday, September 14, 2011 5:57 PM
  • this setting causes this issue: Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1
    you must disable alternate signature algorithms and re-issue end certificate.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Agree with Vadims, totally missed the AlternateSignatureAlgorithm!

    /Hasain 

    Wednesday, September 14, 2011 6:00 PM