This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 1%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
I have a customer that is using a commercial application. That applications vendor has provided me and the customer with a self signed certificate. My client application to this customers application is having a connection issue. I see the same connection issues when using curl to the customers endpoint.
C:\Users\A-STAFFRX>curl "https://ua00991d.---.com:18124/"
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
If I load the customers certificate in 'trusted root certification' I get this.
C:\Users\A-STAFFRX>curl "https://ua00991d.---.com:18124/"
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
These are the same responses I get when I try to connect to the customers application from my c# client.
In looking at the self signed certificate that was provided by vendor. It has no CRL Distribution points defined. Given that what is my client application or curl trying to check?
TLS endpoint uses the certificate that chains up to their provided root certificate. And this certificate has broken CDP URLs. You need to contact your vendor and ask them to fix this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Richard Stafford ,
Thank you for posting here.
Hope the information provided by Crypt32 was helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Thank you Daisy. We still have some questions, I'll reply to crypt32.
Hello @Richard Stafford ,
Thank you for your update.
If there is any update, please reply here or share the solution here.
Thank you in advance.
Best Regards,
Daisy Zhou
Thank you for your time to reply Crypt32. I'm collecting some details on the certificate to see if we can identify any broken CDP URL's. Do you know why this certificate would work on some window's servers and not others? What is it that would cause this revocation check error on one server, but not on other window servers?
Million reasons can cause. It would be better if you could get a certificate on a machine where it fails and run certutil -verify -urlfetch certfile.cer against your certificate and post certutil output. Then we can say more about your issue.
Does the owner of this certificate need to be using a CA instead of self signing the certificate?
absolutely.
I bet that relying party has poor knowledge of PKI and/or misconfigured environment and since you are a consumer, it is their responsibility to make their usage flawless and secure.
Sending certutil responce in comments. my company is blocking any attachment, Sorry
certutil -verify -urlfetch ftl-trust.pem
Issuer:
CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Name Hash(sha1): ed09a0f9fcd3261398e5fb10a896d6b95c83eb0a
Name Hash(md5): 98ccdc5caaf1b8d92dbc6440b033454a
Subject:
CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Name Hash(sha1): ed09a0f9fcd3261398e5fb10a896d6b95c83eb0a
Name Hash(md5): 98ccdc5caaf1b8d92dbc6440b033454a
Cert Serial Number: 01
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10a dwErrorStatus=20
Issuer: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
NotBefore: 1/12/2021 6:39 PM
NotAfter: 1/18/2038 10:14 PM
Subject: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Serial: 01
Cert: fabc203530fea0fef067cfd9da258d937a71ab56
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: fabc203530fea0fef067cfd9da258d937a71ab56
Issuer: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
NotBefore: 1/12/2021 6:39 PM
NotAfter: 1/18/2038 10:14 PM
Subject: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Serial: 01
Cert: fabc203530fea0fef067cfd9da258d937a71ab56
Verifies against UNTRUSTED root
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
Is this a TLS certificate you get with CURL?