Certificate AIA Revocation Check Failed

chewy0022 16 Reputation points
2021-09-22T21:06:35.267+00:00

I’m having difficulties setting up a new subordinate CA with a pre-existing offline root. The root CA and new subordinate CA verifies successfully when using “certutil -verify –urlfetch”. When I run this against any certificate issued by the new subordinate CA, the AIA fails to validate.

I've attempted to re-issue the subordinate CA and client authentication CA's from the subordinate CA multiple times while troubleshooting. The many times I've re-issued the subordinate CA and republished to AD is why I'm seeing so many "wrong issuer" entries in the URL Retrieval Tool and certutil -verify results, I assume. The interesting thing is that if I double click an AIA URL from the URL Retrieval Tool, it pulls up the cert just fine. Same if I manually enter the http URL into the browser. No problems downloading the file.
It may be worth noting that the new subordinate CA that I'm trying to set up is an enterprise CA for a new domain, which is distinct from other CA's in the environment. 

certutil -verify -urlfetch .\client.cer  
Issuer:  
    CN=ISSUINGCA  
    DC=DOMAIN  
    DC=com  
  Name Hash(sha1): 2419e7c4831a30c217c1c19f17171011461b71c8  
  Name Hash(md5): 3c17b1488f24b645d617e5b14b9345fe  
Subject:  
    EMPTY (DNS Name=SERVER1.Domain.com)  
  Name Hash(sha1): f944d3d635f6801f7ac90a407fbc419964ded02d  
  Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0  
Cert Serial Number: 1000000129f1681185b1b2c13b100310001021  
  
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)  
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)  
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)  
HCCE_LOCAL_MACHINE  
CERT_CHAIN_POLICY_BASE  
-------- CERT_CHAIN_CONTEXT --------  
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040  
  Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com  
  NotBefore: 9/22/2021 1:44 PM  
  NotAfter: 9/21/2024 1:44 PM  
  Subject:  
  Serial: 1000000129f1681185b1b2c13b100310001021  
  SubjectAltName: DNS Name=SERVER1.Domain.com  
  Template: Client Authentication  
  Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  ----------------  Certificate AIA  ----------------  
  Wrong Issuer "Certificate (0)" Time: 0 e26fc7916dbb3876dbb8a19aa123be00801d9f82  
    [0.0] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Wrong Issuer "Certificate (1)" Time: 0 faa93a3835535ec198a141f653210ede10bc9499  
    [0.1] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Wrong Issuer "Certificate (2)" Time: 0 9de6e01d9263795f3cbfe47ec79584b00f4d624a  
    [0.2] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d  
    [0.3] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d  
    [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA.Domain.com_ISSUINGCA(3).crt  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593  
    [0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [0.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [0.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl  
  
  Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593  
    [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3).crl  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [1.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [1.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl  
  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication  
  
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040  
  Issuer: CN=rootCA  
  NotBefore: 9/22/2021 1:41 PM  
  NotAfter: 9/22/2026 1:51 PM  
  Serial: 1400000011d8721cb3c4e98ab1000100000011  
  Template: SubCA  
  Cert: dca0ab2d0af47a16f794f924011a974cb269894d  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  ----------------  Certificate AIA  ----------------  
  Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3  
    [0.0] http://ISSUINGCA-OLD.domain.org/pki/RootCA_rootCA(1).crt  
  
  Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3  
    [1.0] http://IssuingCA.domain.com/pki/RootCA_rootCA(1).crt  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778  
    [0.0] http://ISSUINGCA-OLD.domain.org/pki/rootCA.crl  
  
  Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778  
    [1.0] http://IssuingCA.domain.com/pki/rootCA.crl  
  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  Issuance[0] = 1.3.6.1.4.1.311.21.8.2657365.3421506.8416519.5442337.5312189.261.125075.5566931  
  
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0  
  Issuer: CN=rootCA  
  NotBefore: 5/5/2020 2:14 PM  
  NotAfter: 9/14/2031 12:50 PM  
  Subject: CN=rootCA  
  Serial: 49acc47b01c16b944761cfdc1955d700  
  Cert: b054726a8af29e9a9aff1bdd474ea01c002e61c3  
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)  
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  
Exclude leaf cert:  
  Chain: 5b59450568ae68844c4fffda219ac9de481fbbd6  
Full chain:  
  Chain: 796780d4fefa26bb605ae89a6fcfa0a47338fcdd  
  Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com  
  NotBefore: 9/22/2021 1:44 PM  
  NotAfter: 9/21/2024 1:44 PM  
  Subject:  
  Serial: 1000000129f1681185b1b2c13b100310001021  
  SubjectAltName: DNS Name=SERVER1.Domain.com  
  Template: Client Authentication  
  Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022  
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)  
------------------------------------  
Revocation check skipped -- server offline  
  
ERROR: Verifying leaf certificate revocation status returned The certificate is not in the revocation server's database. 0x80092014 (-2146885612 CRYPT_E_NOT_IN_REVOCATION  
_DATABASE)  
CertUtil: The certificate is not in the revocation server's database.  
  
CertUtil: -verify command completed successfully.  
PS C:\Windows\system32certutil -verify -urlfetch C:\Users\user.account\desktop\client.cer  
Issuer:  
    CN=ISSUINGCA  
    DC=DOMAIN  
    DC=com  
  Name Hash(sha1): 2419e7c4831a30c217c1c19f17171011461b71c8  
  Name Hash(md5): 3c17b1488f24b645d617e5b14b9345fe  
Subject:  
    EMPTY (DNS Name=SERVER1.Domain.com)  
  Name Hash(sha1): f944d3d635f6801f7ac90a407fbc419964ded02d  
  Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0  
Cert Serial Number: 1000000129f1681185b1b2c13b100310001021  
  
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)  
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)  
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)  
HCCE_LOCAL_MACHINE  
CERT_CHAIN_POLICY_BASE  
-------- CERT_CHAIN_CONTEXT --------  
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040  
  Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com  
  NotBefore: 9/22/2021 1:44 PM  
  NotAfter: 9/21/2024 1:44 PM  
  Subject:  
  Serial: 1000000129f1681185b1b2c13b100310001021  
  SubjectAltName: DNS Name=SERVER1.Domain.com  
  Template: Client Authentication  
  Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  ----------------  Certificate AIA  ----------------  
  Wrong Issuer "Certificate (0)" Time: 0 e26fc7916dbb3876dbb8a19aa123be00801d9f82  
    [0.0] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Wrong Issuer "Certificate (1)" Time: 0 faa93a3835535ec198a141f653210ede10bc9499  
    [0.1] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Wrong Issuer "Certificate (2)" Time: 0 9de6e01d9263795f3cbfe47ec79584b00f4d624a  
    [0.2] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d  
    [0.3] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority  
  
  Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d  
    [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA.Domain.com_ISSUINGCA(3).crt  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593  
    [0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [0.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [0.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl  
  
  Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593  
    [1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3).crl  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [1.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint  
  
  Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59  
    [1.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl  
  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication  
  
CertContext[0][3]: dwInfoStatus=102 dwErrorStatus=1000040  
  Issuer: CN=rootCA  
  NotBefore: 9/22/2021 1:41 PM  
  NotAfter: 9/22/2026 1:51 PM  
  Subject: CN=ISSUINGCA, DC=DOMAIN, DC=com  
  Serial: 1400000011d8721cb3c4e98ab1000100000011  
  Template: SubCA  
  Cert: dca0ab2d0af47a16f794f924011a974cb269894d  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)  
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)  
  ----------------  Certificate AIA  ----------------  
  Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3  
    [0.0] http://ISSUINGCA-OLD.domain.org/pki/RootCA_rootCA(1).crt  
  
  Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3  
    [1.0] http://IssuingCA.domain.com/pki/RootCA_rootCA(1).crt  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778  
    [0.0] http://ISSUINGCA-OLD.domain.org/pki/rootCA.crl  
  
  Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778  
    [1.0] http://IssuingCA.domain.com/pki/rootCA.crl  
  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  Issuance[0] = 1.3.6.1.4.1.311.21.8.2657365.3421506.8416519.5442337.5312189.261.125075.5566931  
  
CertContext[0][4]: dwInfoStatus=10c dwErrorStatus=0  
  Issuer: CN=rootCA  
  NotBefore: 5/5/2020 2:14 PM  
  NotAfter: 9/14/2031 12:50 PM  
  Subject: CN=rootCA  
  Serial: 49acc47b01c16b944761cfdc1955d700  
  Cert: b054726a8af29e9a9aff1bdd474ea01c002e61c3  
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)  
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  
Exclude leaf cert:  
  Chain: 5b59450568ae68844c4fffda219ac9de481fbbd6  
Full chain:  
  Chain: 796780d4fefa26bb605ae89a6fcfa0a47338fcdd  
  Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com  
  NotBefore: 9/22/2021 1:44 PM  
  NotAfter: 9/21/2024 1:44 PM  
  Subject:  
  Serial: 1000000129f1681185b1b2c13b100310001021  
  SubjectAltName: DNS Name=SERVER1.Domain.com  
  Template: Client Authentication  
  Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022  
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)  
------------------------------------  
Revocation check skipped -- server offline  
  
ERROR: Verifying leaf certificate revocation status returned The certificate is not in the revocation server's database. 0x80092014 (-2146885612 CRYPT_E_NOT_IN_REVOCATION_DATABASE)  
CertUtil: The certificate is not in the revocation server's database.  
  
CertUtil: -verify command completed successfully.

URL Retrieval Tool:

134288-url-retrieval-aia.png
134452-url-retrieval-cdp.png

PKI View:

134481-pkiviewsubca.png

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Epp 21 Reputation points
    2024-01-13T04:31:42.4633333+00:00

    I'll admit I didn't read through the entire OP, but I was experimenting with an ADCS PKI and noticed I got this behavior if the computer that certutil -url was being ran on DID NOT trust the root CA. If the root CA was installed into the trusted root store and certutil ran again, this error would go away and you'd get the expected response (Verified, or a more useful error).

    0 comments