question

RichardStafford-1325 avatar image
0 Votes"
RichardStafford-1325 asked ·

CRL Checking

I have a customer that is using a commercial application. That applications vendor has provided me and the customer with a self signed certificate. My client application to this customers application is having a connection issue. I see the same connection issues when using curl to the customers endpoint.

C:\Users\A-STAFFRX>curl "https://ua00991d.---.com:18124/"
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

If I load the customers certificate in 'trusted root certification' I get this.

C:\Users\A-STAFFRX>curl "https://ua00991d.---.com:18124/"
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

These are the same responses I get when I try to connect to the customers application from my c# client.

  1. Can you provide some information about certificates and crl's and how this is suppose to be configured?.

  2. How are crls's suppose to be managed when using self signed certificates.

  3. Does the owner of this certificate need to be using a CA instead of self signing the certificate?

  4. Could there be some configuration on my 2016 windows server that is preventing this connection or not allowing some needed services to operate on this certificate or a crl? The support staff of the commercial application states, other servers connect to their service just fine with the same connection source we are using.








windows-server-security
· 12
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In looking at the self signed certificate that was provided by vendor. It has no CRL Distribution points defined. Given that what is my client application or curl trying to check?

0 Votes 0 ·
Crypt32 avatar image Crypt32 RichardStafford-1325 ·

TLS endpoint uses the certificate that chains up to their provided root certificate. And this certificate has broken CDP URLs. You need to contact your vendor and ask them to fix this issue.

0 Votes 0 ·

Thank you for your time to reply Crypt32. I'm collecting some details on the certificate to see if we can identify any broken CDP URL's. Do you know why this certificate would work on some window's servers and not others? What is it that would cause this revocation check error on one server, but not on other window servers?

0 Votes 0 ·
Show more comments

Hello @RichardStafford-1325,

Thank you for posting here.

Hope the information provided by Crypt32 was helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

0 Votes 0 ·

Thank you Daisy. We still have some questions, I'll reply to crypt32.

0 Votes 0 ·
DaisyZhou-MSFT avatar image DaisyZhou-MSFT RichardStafford-1325 ·

Hello @RichardStafford-1325,

Thank you for your update.

If there is any update, please reply here or share the solution here.

Thank you in advance.


Best Regards,
Daisy Zhou

0 Votes 0 ·

Does the owner of this certificate need to be using a CA instead of self signing the certificate?

absolutely.

I bet that relying party has poor knowledge of PKI and/or misconfigured environment and since you are a consumer, it is their responsibility to make their usage flawless and secure.
0 Votes 0 ·

0 Answers