locked
OCSP verify fails on client cert, but succeeds on server cert RRS feed

  • Question

  • I'm running into a very strange issue that is preventing users from logging into OWA 2010.  The failure is "The revocation function was unable to check revocation because the revocation server was offline." with a 403 displayed in the users browser.  If I attempt to verify OCSP on a client certificate it comes back as Unsuccessful.  If I do the same test, on the server that issued the client certificate, it succeeds.  Both certificates point to the same OCSP link, and both tests were performed on my Exchange server.

    Any help would be greatly appreciated as I have no clue why this would happen.

    Thanks.


    • Edited by mwolfe87 Tuesday, December 8, 2015 3:56 PM clarified 403 error.
    Tuesday, December 8, 2015 3:52 PM

Answers

  • Found the problem.  I had renewed my subCA's certificate when I found that it was going to expire in a relatively short time with a new cert that will expired in about 10 years.  I had forgotten that I needed to update my revocation configuration with the new certificate.  Once I made this change, OCSP started working again.

    Thanks for the help.

    • Marked as answer by mwolfe87 Wednesday, December 9, 2015 4:05 PM
    Wednesday, December 9, 2015 4:05 PM
  • The OCSP responder is not providing a response when the validation of the CN=John Doe certificate is taking place

    Unsuccessful "OCSP" Time: 0
        [0.0] http://dc1.sub.contoso.com/ocsp

    In addition, you are *only* using OCSP, so there is no fall back to CRL checking for the revocation status.

    I did notice that the issuing CA for the John Doe certificate is DC2, but the URL for the OCSP server is DC1, this may be the issue.

    In a properly architected PKI, there would not be separate OCSP servers, just a single OCSP cluster (think ocsp.contoso.com) and revocation configurations for each issuing CA would be enabled/configured on all nodes of the cluster)

    Brian

    • Proposed as answer by Amy Wang_ Monday, December 28, 2015 3:42 PM
    • Marked as answer by Amy Wang_ Thursday, December 31, 2015 4:25 AM
    Tuesday, December 8, 2015 4:28 PM

All replies

  • Please run the command certutil -verify -urlfetch OWACERT.cer and post the output

    You have a problem in your revocation configuration, and the output will show what is incorrect

    Brian

    Tuesday, December 8, 2015 4:01 PM
  • I'm not the best at reading this output, so I apologize in advance if I miss the obvious problem.  The error message provided is the same one that I saw in the IIS logs on my Exchange server.

    Issuer:
        CN=dc2
        DC=sub
        DC=contoso
        DC=com
    Subject:
        CN=John Doe
        OU=Users
        OU=Personnel
        DC=sub
        DC=contoso
        DC=com
    Cert Serial Number: 6ee94d7c000200000a01

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
      Issuer: CN=dc2, DC=sub, DC=contoso, DC=com
      NotBefore: 12/4/2015 4:00 PM
      NotAfter: 12/3/2018 4:00 PM
      Subject: CN=John Doe, OU=Users, OU=Personnel, DC=sub, DC=contoso, DC=com
      Serial: 6ee94d7c000200000a01
      Template: Card Authentication
      c8 aa 4e 20 cf 68 93 e9 8b 12 2d 74 4c 68 e7 42 12 99 b3 78
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      ----------------  Certificate AIA  ----------------
      Verified "Certificate (0)" Time: 0
        [0.0] ldap:///CN=dc2,CN=AIA,CN=Public%20Key%20Services,CN=Services,C
    N=Configuration,DC=sub,DC=contoso,DC=com?cACertificate?base?objectClass=certific
    ationAuthority

      Verified "Certificate (0)" Time: 0
        [1.0] http://dc2.sub.contoso.com/CertEnroll/dc2.sub.contoso.
    com_dc2(2).crt

      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      Unsuccessful "OCSP" Time: 0
        [0.0] http://dc1.sub.contoso.com/ocsp

      --------------------------------
      Application[0] = 2.16.840.1.101.3.6.8 id-PIV-cardAuth

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=dc1, DC=sub, DC=contoso, DC=com
      NotBefore: 8/7/2015 9:49 AM
      NotAfter: 8/4/2025 9:49 AM
      Subject: CN=dc2, DC=sub, DC=contoso, DC=com
      Serial: 615827eb000000000091
      Template: Subordinate Certification Authority V2
      ee 3c 9b fd be a3 a6 49 25 b6 4e 25 54 1a 98 f8 c7 d5 b2 5d
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      Verified "Certificate (0)" Time: 0
        [0.0] ldap:///CN=dc1,CN=AIA,CN=Public%20Key%20Services,CN=Services,C
    N=Configuration,DC=sub,DC=contoso,DC=com?cACertificate?base?objectClass=certific
    ationAuthority

      Verified "Certificate (0)" Time: 0
        [1.0] http://dc1.sub.contoso.com/CertEnroll/dc1.sub.contoso.
    com_dc1.crt

      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Base CRL CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      Verified "OCSP" Time: 0
        [0.0] http://dc1.sub.contoso.com/ocsp

      --------------------------------
        CRL (null):
        Issuer: CN=dc1.sub.contoso.com
        84 93 98 53 f9 fa 13 d5 35 6a dd 19 20 9f 48 00 9c ea 8e 34

    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=dc1, DC=sub, DC=contoso, DC=com
      NotBefore: 7/14/2014 3:48 PM
      NotAfter: 7/14/2039 3:58 PM
      Subject: CN=dc1, DC=sub, DC=contoso, DC=com
      Serial: 6b6d51927072ba934f07ea28bd953182
      f1 06 04 3c e5 b7 20 2d d3 f7 80 80 39 d0 c6 15 97 8e ad 07
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      d1 37 f1 78 11 5c 29 73 ca da 10 08 3e 1d 12 3c 9f 72 66 76
    Full chain:
      e1 ff 39 34 d2 00 49 75 69 91 73 9c 8f 7f ad 5c 32 2c ff bd
      Issuer: CN=dc2, DC=sub, DC=contoso, DC=com
      NotBefore: 12/4/2015 4:00 PM
      NotAfter: 12/3/2018 4:00 PM
      Subject: CN=John Doe, OU=Users, OU=Personnel, DC=sub, DC=contoso, DC=com
      Serial: 6ee94d7c000200000a01
      Template: Card Authentication
      c8 aa 4e 20 cf 68 93 e9 8b 12 2d 74 4c 68 e7 42 12 99 b3 78
    The revocation function was unable to check revocation because the revocation se
    rver was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline

    ERROR: Verifying leaf certificate revocation status returned The revocation func
    tion was unable to check revocation because the revocation server was offline. 0
    x80092013 (-2146885613)
    CertUtil: The revocation function was unable to check revocation because the rev
    ocation server was offline.

    Tuesday, December 8, 2015 4:22 PM
  • The OCSP responder is not providing a response when the validation of the CN=John Doe certificate is taking place

    Unsuccessful "OCSP" Time: 0
        [0.0] http://dc1.sub.contoso.com/ocsp

    In addition, you are *only* using OCSP, so there is no fall back to CRL checking for the revocation status.

    I did notice that the issuing CA for the John Doe certificate is DC2, but the URL for the OCSP server is DC1, this may be the issue.

    In a properly architected PKI, there would not be separate OCSP servers, just a single OCSP cluster (think ocsp.contoso.com) and revocation configurations for each issuing CA would be enabled/configured on all nodes of the cluster)

    Brian

    • Proposed as answer by Amy Wang_ Monday, December 28, 2015 3:42 PM
    • Marked as answer by Amy Wang_ Thursday, December 31, 2015 4:25 AM
    Tuesday, December 8, 2015 4:28 PM
  • Thanks for that bit of info.  I added the CRL's to the cert and it was able to validate it.  Any clue's on how to best troubleshoot why my responder isn't responding?  OCSP responder shows that it is working correctly.
    Tuesday, December 8, 2015 7:17 PM
  • I took a network trace of me checking the OCSP URL from certutil -url cert.crt and the response from the server is "unauthorized".  Not exactly sure when this started happening because this was a working environment.  I'm also not seeing anything in the CAPI2 logs when the check happens.

    Any suggestions on what is causing this error?

    Tuesday, December 8, 2015 9:10 PM
  • Found the problem.  I had renewed my subCA's certificate when I found that it was going to expire in a relatively short time with a new cert that will expired in about 10 years.  I had forgotten that I needed to update my revocation configuration with the new certificate.  Once I made this change, OCSP started working again.

    Thanks for the help.

    • Marked as answer by mwolfe87 Wednesday, December 9, 2015 4:05 PM
    Wednesday, December 9, 2015 4:05 PM