Hi all,
Please allow me to explain my background. I want to integrate my own CA System with MS Online Responder service. And follow the official reference, I can not connect my own CA System to MS Online Responder. Especially I manually
add the AIA to issuing CA certificate.
And my question is, I CANNOT retrieve the state of certificate.
RICSR-2k-3.der, this cert is one cert in CRL list, I have already revoked it.
And I use the certutil -verify command,
certutil -verify -urlfetch C:\Users\xiaopeiz\Desktop\ocspCert\RICSR-2k-3.der
Issuer:
CN=DRM Server CA
O=CDTA
C=CN
Name Hash(sha1): f22078f52e62d1eb06e86e7067783f0972b8fa44
Name Hash(md5): eaaa40b41b7c385e927ed4c02d5d1e31
Subject:
CN=cc
O=cn
C=CN
Name Hash(sha1): bfb9ddeff782038c9f59e93062a0f8ab97cde0c5
Name Hash(md5): f6a6937f27940026bdc61f52b08dfe0d
Cert Serial Number: 50be402d
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
Issuer: CN=DRM Server CA, O=CDTA, C=CN
NotBefore: 4/12/2018 12:00 AM
NotAfter: 4/12/2023 11:59 PM
Subject: CN=cc, O=cn, C=CN
Serial: 50be402d
fffc793cd330464c213da5b95ae55d76cbe00ef4
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.2.156.112560.4
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=Root CA, O=CDTA, C=CN
NotBefore: 4/12/2018 12:00 AM
NotAfter: 4/12/2068 11:59 PM
Subject: CN=DRM Server CA, O=CDTA, C=CN
Serial: 457fcdcc
9d170c960d7d49dba664d17566075287d755c44b
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Unsuccessful "OCSP" Time: 0
--------------------------------
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Root CA, O=CDTA, C=CN
NotBefore: 4/12/2018 12:00 AM
NotAfter: 4/12/2068 11:59 PM
Subject: CN=Root CA, O=CDTA, C=CN
Serial: 2f5d1dab
39b0a253b3e028d15c40618606c926e2a6abe24d
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
ef8154fd241fece8896edba1021d5278cebfab08
Full chain:
e3b0668c6872236fe9cb9a470ba0ce5ddd33d18d
Issuer: CN=DRM Server CA, O=CDTA, C=CN
NotBefore: 4/12/2018 12:00 AM
NotAfter: 4/12/2023 11:59 PM
Subject: CN=cc, O=cn, C=CN
Serial: 50be402d
fffc793cd330464c213da5b95ae55d76cbe00ef4
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
what should I do?
MS Online Responder integrate with 3rd party CA system,error
And my question is, I CANNOT retrieve the state of certificate.RICSR-2k-3.der, this cert is one cert in CRL list, I have already revoked it.And I use the certutil -verify command,certutil -verify -urlfetch C:\Users\xiaopeiz\Desktop\ocspCert\RICSR-2k-3.derIssuer:CN=DRM Server CAO=CDTAC=CNName Hash(sha1): f22078f52e62d1eb06e86e7067783f0972b8fa44Name Hash(md5): eaaa40b41b7c385e927ed4c02d5d1e31Subject:CN=ccO=cnC=CNName Hash(sha1): bfb9ddeff782038c9f59e93062a0f8ab97cde0c5Name Hash(md5): f6a6937f27940026bdc61f52b08dfe0dCert Serial Number: 50be402ddwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)HCCE_LOCAL_MACHINECERT_CHAIN_POLICY_BASE-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40Issuer: CN=DRM Server CA, O=CDTA, C=CNNotBefore: 4/12/2018 12:00 AMNotAfter: 4/12/2023 11:59 PMSubject: CN=cc, O=cn, C=CNSerial: 50be402dfffc793cd330464c213da5b95ae55d76cbe00ef4Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)---------------- Certificate AIA ----------------No URLs "None" Time: 0---------------- Certificate CDP ----------------No URLs "None" Time: 0---------------- Certificate OCSP ----------------No URLs "None" Time: 0--------------------------------Application[0] = 1.2.156.112560.4CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040Issuer: CN=Root CA, O=CDTA, C=CNNotBefore: 4/12/2018 12:00 AMNotAfter: 4/12/2068 11:59 PMSubject: CN=DRM Server CA, O=CDTA, C=CNSerial: 457fcdcc9d170c960d7d49dba664d17566075287d755c44bElement.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)---------------- Certificate AIA ----------------No URLs "None" Time: 0---------------- Certificate CDP ----------------No URLs "None" Time: 0---------------- Certificate OCSP ----------------Unsuccessful "OCSP" Time: 0[0.0] http://localhost/ocsp--------------------------------CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0Issuer: CN=Root CA, O=CDTA, C=CNNotBefore: 4/12/2018 12:00 AMNotAfter: 4/12/2068 11:59 PMSubject: CN=Root CA, O=CDTA, C=CNSerial: 2f5d1dab39b0a253b3e028d15c40618606c926e2a6abe24dElement.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)---------------- Certificate AIA ----------------No URLs "None" Time: 0---------------- Certificate CDP ----------------No URLs "None" Time: 0---------------- Certificate OCSP ----------------No URLs "None" Time: 0--------------------------------Exclude leaf cert:ef8154fd241fece8896edba1021d5278cebfab08Full chain:e3b0668c6872236fe9cb9a470ba0ce5ddd33d18dIssuer: CN=DRM Server CA, O=CDTA, C=CNNotBefore: 4/12/2018 12:00 AMNotAfter: 4/12/2023 11:59 PMSubject: CN=cc, O=cn, C=CNSerial: 50be402dfffc793cd330464c213da5b95ae55d76cbe00ef4The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)------------------------------------Revocation check skipped -- server offlineCannot check leaf certificate revocation statusCertUtil: -verify command completed successfully.what should I do?