none
Issue with Revocation Checks RRS feed

  • Question

  • I have a lab environment with two Server 2012 R2 cert servers; the root is offline and the sub CA is online. Well, I let my Sub CA cert lapse by months. Revocation checking was failing on the sub CA but I was able to resolve that by publishing the root CA back to the sub CA.

    However, web server certs issued by the sub CA are encountering similar errors and I'm not sure how to resolve it. I've exported the requested cert and run a certutil -verify -urlfetch mycert.cer against it. Here's partial results on what look like to be errors:

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwRevocationFreshnessTime: 1 Hours, 3 Minutes, 16 Seconds
    
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwRevocationFreshnessTime: 1 Hours, 3 Minutes, 16 Seconds
    
    [....]
    
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (d0)" Time: 0
        [0.0] http://<subcafqdn>/CertEnroll/SubCA(3).crl
    
      Verified "Delta CRL (d0)" Time: 0
        [0.0.0] ldap:///CN=SubCA(3),CN=subcaCN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=example,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
      ----------------  Base CRL CDP  ----------------
      OK "Delta CRL (d1)" Time: 0
        [0.0] ldap:///CN=SubCA(3),CN=subca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=example,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
      ----------------  Certificate OCSP  ----------------
      Failed "OCSP" Time: 0
        Error retrieving URL: Method not allowed (405). 0x80190195 (-2145844843 HTTP_E_STATUS_BAD_METHOD)
        http://<subcafqdn>/CertEnroll/<subcafqdn>_SubCA(3).crt
    
      --------------------------------


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, March 9, 2018 7:21 PM

All replies

  • You have misconfigured your AIA URIs. You have configured the CA certificate as an OCSP URI.

    Can you send the output of certutil -getreg CA\CACertPublicationURLs

    The URL http://<subcafqdn>/CertEnroll/<subcafqdn>_SubCA(3).crt should have a value of 2, not 32 or 34

    The correct URL for an OCSP responder is 

    32:http://<ocspDNS>/ocsp

    Brian

    Saturday, March 10, 2018 4:12 PM
  • Here's the output:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\SubCA\CACertPublicationURLs:

      CACertPublicationURLs REG_MULTI_SZ =
        0: 34:http://%1/CertEnroll/%1_%3%4.crt
        CSURL_ADDTOCERTCDP -- 2
        CSURL_ADDTOCERTOCSP -- 20 (32)

    CertUtil: -getreg command completed successfully.

    --

    On my subordinate, under Extensions, the AIA is configured with a value of:

    http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Saturday, March 10, 2018 4:32 PM
  • Since this is a lab, I'd be perfectly willing to start from scratch, sans my existing *servers* and templates. I want to have the following:

    http and OSCP only for client access, I'm not intending to publish to LDAP. I will use a friendly name (http://crl.example.com) for publishing and the OSCP connection point. IIS binding/A record is already configured. I only intend to have a single sub ca and root (offline) ca. I don't think the root needs to be modified, but here are the basic settings on the root:

    CDP extension publishes to C:\windows\system32\certsrv\CertEnroll\root.crl - Publish CRLs to this location checked. AIA extension is blank. Root.crl is placed in the sub CA C:\windows\system32\certsrv\CertEnroll\.

    If/when I change the CDP/AIA on the sub CA, is republishing CRLs enough, or do I need to re-issue the sub CA cert? And for some reason I cannot get a CRT published to the specified named cert. I'm trying to publish to C:\Windows\System32\CertSrv\CertEnroll\intermediate.crt in the AIA extension (the cert location is not included on issued certs, of course), but it doesn't publish here automatically when publishing from the Revoked certs node.

    For the sub CA configured locations, I have:

    CDP -

    http://crl.example.com/CertEnroll/intermediate.crl (include in CDP and IDP extensions)

    http://crl.example.com/CertEnroll/intermediate<DeltaCRLAllowed>.crl (include in CRLs. Clients use this to find Delta CRL)

    C:\Windows\System32\CertSrv\CertEnroll\intermediate.crl (Publish CRL to this location)

    C:\Windows\System32\CertSrv\CertEnroll\intermediate<DeltaCRLAllowed>.crl  (Publish Delta CRLs to this location)

    AIA -

    http://crl.example.com/ocsp (include in OCSP extension)

    http://crl.example.com/CertEnroll/intermediate.crt (include in AIA extension)

    C:\Windows\System32\CertSrv\CertEnroll\intermediate.crt - again this isn't publishing automatically, but the OOTB version of this path did

    Thanks for your help!


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Saturday, March 10, 2018 5:46 PM
  • Alright, I found one of your posts -- https://social.technet.microsoft.com/Forums/windowsserver/en-US/b35dfba3-a9c9-46f7-a4df-010a83c46a6a/cdp-unable-to-download-crl?forum=winserversecurity. Was trying to use static names, so I reverted away from that and am using variable names now. AIA, CDP (CRL & Delta), OCSP are good.

    On a workstation using pkiview, the only remaining error is on the Sub CA cert showing Revocation Status Unknown, but the CAPI2 log shows no errors, only informationals.

    On the sub CA itself, the AIA HTTP path shows as Unable to Download, but everything else looks good. The same AIA path works for the workstation. There is no proxy involved. I can successfully download the CRT from the sub CA itself.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Saturday, March 10, 2018 11:02 PM
  • That good, but you need to resolve the error, and any error shown in PKIView. That's what health status is all about. 
    Wednesday, March 14, 2018 9:15 PM
  • At this point, the only remaining error is client side with the Revocation Status Check issue, but I'm not quite sure what I need to do to resolve it. The root CA and sub CA cert are present in the appropriate stores on the client.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, March 14, 2018 10:59 PM