locked
MS Online Responder integrate with 3rd party CA system,error RRS feed

  • Question

  • Hi all,
    Please allow me to explain my background. I want to integrate my own CA System with MS Online Responder service. And follow the official reference, I can not connect my own CA System to MS Online Responder. Especially I manually  add the AIA to issuing CA certificate.
    And my question is, I CANNOT retrieve the state of certificate.
    RICSR-2k-3.der, this cert is one cert in CRL list, I have already revoked it. 
    And I use the certutil -verify command,
     certutil -verify -urlfetch C:\Users\xiaopeiz\Desktop\ocspCert\RICSR-2k-3.der
    Issuer:
        CN=DRM Server CA
        O=CDTA
        C=CN
      Name Hash(sha1): f22078f52e62d1eb06e86e7067783f0972b8fa44
      Name Hash(md5): eaaa40b41b7c385e927ed4c02d5d1e31
    Subject:
        CN=cc
        O=cn
        C=CN
      Name Hash(sha1): bfb9ddeff782038c9f59e93062a0f8ab97cde0c5
      Name Hash(md5): f6a6937f27940026bdc61f52b08dfe0d
    Cert Serial Number: 50be402d
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
      Issuer: CN=DRM Server CA, O=CDTA, C=CN
      NotBefore: 4/12/2018 12:00 AM
      NotAfter: 4/12/2023 11:59 PM
      Subject: CN=cc, O=cn, C=CN
      Serial: 50be402d
      fffc793cd330464c213da5b95ae55d76cbe00ef4
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------
      Application[0] = 1.2.156.112560.4 
    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
      Issuer: CN=Root CA, O=CDTA, C=CN
      NotBefore: 4/12/2018 12:00 AM
      NotAfter: 4/12/2068 11:59 PM
      Subject: CN=DRM Server CA, O=CDTA, C=CN
      Serial: 457fcdcc
      9d170c960d7d49dba664d17566075287d755c44b
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      Unsuccessful "OCSP" Time: 0
      --------------------------------
    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=Root CA, O=CDTA, C=CN
      NotBefore: 4/12/2018 12:00 AM
      NotAfter: 4/12/2068 11:59 PM
      Subject: CN=Root CA, O=CDTA, C=CN
      Serial: 2f5d1dab
      39b0a253b3e028d15c40618606c926e2a6abe24d
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------
    Exclude leaf cert:
      ef8154fd241fece8896edba1021d5278cebfab08
    Full chain:
      e3b0668c6872236fe9cb9a470ba0ce5ddd33d18d
      Issuer: CN=DRM Server CA, O=CDTA, C=CN
      NotBefore: 4/12/2018 12:00 AM
      NotAfter: 4/12/2023 11:59 PM
      Subject: CN=cc, O=cn, C=CN
      Serial: 50be402d
      fffc793cd330464c213da5b95ae55d76cbe00ef4
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
    ------------------------------------
    Revocation check skipped -- server offline
    Cannot check leaf certificate revocation status
    CertUtil: -verify command completed successfully.
    what should I do?
    Thursday, April 12, 2018 12:36 PM