question

chewy0022-0654 avatar image
0 Votes"
chewy0022-0654 asked DSPatrick edited

Certificate AIA Revocation Check Failed

I’m having difficulties setting up a new subordinate CA with a pre-existing offline root. The root CA and new subordinate CA verifies successfully when using “certutil -verify –urlfetch”. When I run this against any certificate issued by the new subordinate CA, the AIA fails to validate.

I've attempted to re-issue the subordinate CA and client authentication CA's from the subordinate CA multiple times while troubleshooting. The many times I've re-issued the subordinate CA and republished to AD is why I'm seeing so many "wrong issuer" entries in the URL Retrieval Tool and certutil -verify results, I assume. The interesting thing is that if I double click an AIA URL from the URL Retrieval Tool, it pulls up the cert just fine. Same if I manually enter the http URL into the browser. No problems downloading the file.
It may be worth noting that the new subordinate CA that I'm trying to set up is an enterprise CA for a new domain, which is distinct from other CA's in the environment.


 certutil -verify -urlfetch .\client.cer
 Issuer:
     CN=ISSUINGCA
     DC=DOMAIN
     DC=com
   Name Hash(sha1): 2419e7c4831a30c217c1c19f17171011461b71c8
   Name Hash(md5): 3c17b1488f24b645d617e5b14b9345fe
 Subject:
     EMPTY (DNS Name=SERVER1.Domain.com)
   Name Hash(sha1): f944d3d635f6801f7ac90a407fbc419964ded02d
   Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0
 Cert Serial Number: 1000000129f1681185b1b2c13b100310001021
    
 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
 dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
 ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
 HCCE_LOCAL_MACHINE
 CERT_CHAIN_POLICY_BASE
 -------- CERT_CHAIN_CONTEXT --------
 ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
 ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    
 SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
 SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    
 CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
   Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
   NotBefore: 9/22/2021 1:44 PM
   NotAfter: 9/21/2024 1:44 PM
   Subject:
   Serial: 1000000129f1681185b1b2c13b100310001021
   SubjectAltName: DNS Name=SERVER1.Domain.com
   Template: Client Authentication
   Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
   Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
   Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
   ----------------  Certificate AIA  ----------------
   Wrong Issuer "Certificate (0)" Time: 0 e26fc7916dbb3876dbb8a19aa123be00801d9f82
     [0.0] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Wrong Issuer "Certificate (1)" Time: 0 faa93a3835535ec198a141f653210ede10bc9499
     [0.1] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Wrong Issuer "Certificate (2)" Time: 0 9de6e01d9263795f3cbfe47ec79584b00f4d624a
     [0.2] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
     [0.3] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
     [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA.Domain.com_ISSUINGCA(3).crt
    
   ----------------  Certificate CDP  ----------------
   Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
     [0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [0.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [0.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
    
   Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
     [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3).crl
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [1.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [1.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
    
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
   Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    
 CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
   Issuer: CN=rootCA
   NotBefore: 9/22/2021 1:41 PM
   NotAfter: 9/22/2026 1:51 PM
   Serial: 1400000011d8721cb3c4e98ab1000100000011
   Template: SubCA
   Cert: dca0ab2d0af47a16f794f924011a974cb269894d
   Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
   Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
   ----------------  Certificate AIA  ----------------
   Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
     [0.0] http://ISSUINGCA-OLD.domain.org/pki/RootCA_rootCA(1).crt
    
   Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
     [1.0] http://IssuingCA.domain.com/pki/RootCA_rootCA(1).crt
    
   ----------------  Certificate CDP  ----------------
   Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
     [0.0] http://ISSUINGCA-OLD.domain.org/pki/rootCA.crl
    
   Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
     [1.0] http://IssuingCA.domain.com/pki/rootCA.crl
    
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
   Issuance[0] = 1.3.6.1.4.1.311.21.8.2657365.3421506.8416519.5442337.5312189.261.125075.5566931
    
 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
   Issuer: CN=rootCA
   NotBefore: 5/5/2020 2:14 PM
   NotAfter: 9/14/2031 12:50 PM
   Subject: CN=rootCA
   Serial: 49acc47b01c16b944761cfdc1955d700
   Cert: b054726a8af29e9a9aff1bdd474ea01c002e61c3
   Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
   Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   ----------------  Certificate AIA  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate CDP  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
    
 Exclude leaf cert:
   Chain: 5b59450568ae68844c4fffda219ac9de481fbbd6
 Full chain:
   Chain: 796780d4fefa26bb605ae89a6fcfa0a47338fcdd
   Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
   NotBefore: 9/22/2021 1:44 PM
   NotAfter: 9/21/2024 1:44 PM
   Subject:
   Serial: 1000000129f1681185b1b2c13b100310001021
   SubjectAltName: DNS Name=SERVER1.Domain.com
   Template: Client Authentication
   Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
 ------------------------------------
 Revocation check skipped -- server offline
    
 ERROR: Verifying leaf certificate revocation status returned The certificate is not in the revocation server's database. 0x80092014 (-2146885612 CRYPT_E_NOT_IN_REVOCATION
 _DATABASE)
 CertUtil: The certificate is not in the revocation server's database.
    
 CertUtil: -verify command completed successfully.
 PS C:\Windows\system32certutil -verify -urlfetch C:\Users\user.account\desktop\client.cer
 Issuer:
     CN=ISSUINGCA
     DC=DOMAIN
     DC=com
   Name Hash(sha1): 2419e7c4831a30c217c1c19f17171011461b71c8
   Name Hash(md5): 3c17b1488f24b645d617e5b14b9345fe
 Subject:
     EMPTY (DNS Name=SERVER1.Domain.com)
   Name Hash(sha1): f944d3d635f6801f7ac90a407fbc419964ded02d
   Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0
 Cert Serial Number: 1000000129f1681185b1b2c13b100310001021
    
 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
 dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
 ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
 HCCE_LOCAL_MACHINE
 CERT_CHAIN_POLICY_BASE
 -------- CERT_CHAIN_CONTEXT --------
 ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
 ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    
 SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
 SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    
 CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
   Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
   NotBefore: 9/22/2021 1:44 PM
   NotAfter: 9/21/2024 1:44 PM
   Subject:
   Serial: 1000000129f1681185b1b2c13b100310001021
   SubjectAltName: DNS Name=SERVER1.Domain.com
   Template: Client Authentication
   Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
   Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
   Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
   ----------------  Certificate AIA  ----------------
   Wrong Issuer "Certificate (0)" Time: 0 e26fc7916dbb3876dbb8a19aa123be00801d9f82
     [0.0] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Wrong Issuer "Certificate (1)" Time: 0 faa93a3835535ec198a141f653210ede10bc9499
     [0.1] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Wrong Issuer "Certificate (2)" Time: 0 9de6e01d9263795f3cbfe47ec79584b00f4d624a
     [0.2] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
     [0.3] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
    
   Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
     [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA.Domain.com_ISSUINGCA(3).crt
    
   ----------------  Certificate CDP  ----------------
   Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
     [0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [0.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [0.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
    
   Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
     [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3).crl
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [1.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
    
   Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
     [1.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
    
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
   Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    
 CertContext[0][3]: dwInfoStatus=102 dwErrorStatus=1000040
   Issuer: CN=rootCA
   NotBefore: 9/22/2021 1:41 PM
   NotAfter: 9/22/2026 1:51 PM
   Subject: CN=ISSUINGCA, DC=DOMAIN, DC=com
   Serial: 1400000011d8721cb3c4e98ab1000100000011
   Template: SubCA
   Cert: dca0ab2d0af47a16f794f924011a974cb269894d
   Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
   Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
   ----------------  Certificate AIA  ----------------
   Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
     [0.0] http://ISSUINGCA-OLD.domain.org/pki/RootCA_rootCA(1).crt
    
   Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
     [1.0] http://IssuingCA.domain.com/pki/RootCA_rootCA(1).crt
    
   ----------------  Certificate CDP  ----------------
   Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
     [0.0] http://ISSUINGCA-OLD.domain.org/pki/rootCA.crl
    
   Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
     [1.0] http://IssuingCA.domain.com/pki/rootCA.crl
    
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
   Issuance[0] = 1.3.6.1.4.1.311.21.8.2657365.3421506.8416519.5442337.5312189.261.125075.5566931
    
 CertContext[0][4]: dwInfoStatus=10c dwErrorStatus=0
   Issuer: CN=rootCA
   NotBefore: 5/5/2020 2:14 PM
   NotAfter: 9/14/2031 12:50 PM
   Subject: CN=rootCA
   Serial: 49acc47b01c16b944761cfdc1955d700
   Cert: b054726a8af29e9a9aff1bdd474ea01c002e61c3
   Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
   Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   ----------------  Certificate AIA  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate CDP  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
    
 Exclude leaf cert:
   Chain: 5b59450568ae68844c4fffda219ac9de481fbbd6
 Full chain:
   Chain: 796780d4fefa26bb605ae89a6fcfa0a47338fcdd
   Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
   NotBefore: 9/22/2021 1:44 PM
   NotAfter: 9/21/2024 1:44 PM
   Subject:
   Serial: 1000000129f1681185b1b2c13b100310001021
   SubjectAltName: DNS Name=SERVER1.Domain.com
   Template: Client Authentication
   Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
 The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
 ------------------------------------
 Revocation check skipped -- server offline
    
 ERROR: Verifying leaf certificate revocation status returned The certificate is not in the revocation server's database. 0x80092014 (-2146885612 CRYPT_E_NOT_IN_REVOCATION_DATABASE)
 CertUtil: The certificate is not in the revocation server's database.
    
 CertUtil: -verify command completed successfully.

URL Retrieval Tool:

134288-url-retrieval-aia.png
134452-url-retrieval-cdp.png

PKI View:

134481-pkiviewsubca.png



[1]: /answers/storage/attachments/134288-url-retrieval-aia.png

[2]: /answers/storage/attachments/134288-url-retrieval-aia.png

[3]: /answers/storage/attachments/134452-url-retrieval-cdp.png







windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers