I'll admit I didn't read through the entire OP, but I was experimenting with an ADCS PKI and noticed I got this behavior if the computer that certutil -url was being ran on DID NOT trust the root CA. If the root CA was installed into the trusted root store and certutil ran again, this error would go away and you'd get the expected response (Verified, or a more useful error).
Certificate AIA Revocation Check Failed
I’m having difficulties setting up a new subordinate CA with a pre-existing offline root. The root CA and new subordinate CA verifies successfully when using “certutil -verify –urlfetch”. When I run this against any certificate issued by the new subordinate CA, the AIA fails to validate.
I've attempted to re-issue the subordinate CA and client authentication CA's from the subordinate CA multiple times while troubleshooting. The many times I've re-issued the subordinate CA and republished to AD is why I'm seeing so many "wrong issuer" entries in the URL Retrieval Tool and certutil -verify results, I assume. The interesting thing is that if I double click an AIA URL from the URL Retrieval Tool, it pulls up the cert just fine. Same if I manually enter the http URL into the browser. No problems downloading the file.
It may be worth noting that the new subordinate CA that I'm trying to set up is an enterprise CA for a new domain, which is distinct from other CA's in the environment.
certutil -verify -urlfetch .\client.cer
Issuer:
CN=ISSUINGCA
DC=DOMAIN
DC=com
Name Hash(sha1): 2419e7c4831a30c217c1c19f17171011461b71c8
Name Hash(md5): 3c17b1488f24b645d617e5b14b9345fe
Subject:
EMPTY (DNS Name=SERVER1.Domain.com)
Name Hash(sha1): f944d3d635f6801f7ac90a407fbc419964ded02d
Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0
Cert Serial Number: 1000000129f1681185b1b2c13b100310001021
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
NotBefore: 9/22/2021 1:44 PM
NotAfter: 9/21/2024 1:44 PM
Subject:
Serial: 1000000129f1681185b1b2c13b100310001021
SubjectAltName: DNS Name=SERVER1.Domain.com
Template: Client Authentication
Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0 e26fc7916dbb3876dbb8a19aa123be00801d9f82
[0.0] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (1)" Time: 0 faa93a3835535ec198a141f653210ede10bc9499
[0.1] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (2)" Time: 0 9de6e01d9263795f3cbfe47ec79584b00f4d624a
[0.2] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
[0.3] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
[1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA.Domain.com_ISSUINGCA(3).crt
---------------- Certificate CDP ----------------
Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
[0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[0.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[0.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
[1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3).crl
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[1.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[1.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=rootCA
NotBefore: 9/22/2021 1:41 PM
NotAfter: 9/22/2026 1:51 PM
Serial: 1400000011d8721cb3c4e98ab1000100000011
Template: SubCA
Cert: dca0ab2d0af47a16f794f924011a974cb269894d
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
[0.0] http://ISSUINGCA-OLD.domain.org/pki/RootCA_rootCA(1).crt
Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
[1.0] http://IssuingCA.domain.com/pki/RootCA_rootCA(1).crt
---------------- Certificate CDP ----------------
Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
[0.0] http://ISSUINGCA-OLD.domain.org/pki/rootCA.crl
Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
[1.0] http://IssuingCA.domain.com/pki/rootCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Issuance[0] = 1.3.6.1.4.1.311.21.8.2657365.3421506.8416519.5442337.5312189.261.125075.5566931
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=rootCA
NotBefore: 5/5/2020 2:14 PM
NotAfter: 9/14/2031 12:50 PM
Subject: CN=rootCA
Serial: 49acc47b01c16b944761cfdc1955d700
Cert: b054726a8af29e9a9aff1bdd474ea01c002e61c3
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 5b59450568ae68844c4fffda219ac9de481fbbd6
Full chain:
Chain: 796780d4fefa26bb605ae89a6fcfa0a47338fcdd
Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
NotBefore: 9/22/2021 1:44 PM
NotAfter: 9/21/2024 1:44 PM
Subject:
Serial: 1000000129f1681185b1b2c13b100310001021
SubjectAltName: DNS Name=SERVER1.Domain.com
Template: Client Authentication
Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The certificate is not in the revocation server's database. 0x80092014 (-2146885612 CRYPT_E_NOT_IN_REVOCATION
_DATABASE)
CertUtil: The certificate is not in the revocation server's database.
CertUtil: -verify command completed successfully.
PS C:\Windows\system32certutil -verify -urlfetch C:\Users\user.account\desktop\client.cer
Issuer:
CN=ISSUINGCA
DC=DOMAIN
DC=com
Name Hash(sha1): 2419e7c4831a30c217c1c19f17171011461b71c8
Name Hash(md5): 3c17b1488f24b645d617e5b14b9345fe
Subject:
EMPTY (DNS Name=SERVER1.Domain.com)
Name Hash(sha1): f944d3d635f6801f7ac90a407fbc419964ded02d
Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0
Cert Serial Number: 1000000129f1681185b1b2c13b100310001021
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
NotBefore: 9/22/2021 1:44 PM
NotAfter: 9/21/2024 1:44 PM
Subject:
Serial: 1000000129f1681185b1b2c13b100310001021
SubjectAltName: DNS Name=SERVER1.Domain.com
Template: Client Authentication
Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0 e26fc7916dbb3876dbb8a19aa123be00801d9f82
[0.0] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (1)" Time: 0 faa93a3835535ec198a141f653210ede10bc9499
[0.1] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (2)" Time: 0 9de6e01d9263795f3cbfe47ec79584b00f4d624a
[0.2] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
[0.3] ldap:///CN=ISSUINGCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?cACertificate?base?objectClass=certificationAuthority
Revocation Check Failed "Certificate (3)" Time: 0 dca0ab2d0af47a16f794f924011a974cb269894d
[1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA.Domain.com_ISSUINGCA(3).crt
---------------- Certificate CDP ----------------
Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
[0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[0.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[0.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
Verified "Base CRL (16)" Time: 0 19a117eb69d4aa04a405738b11b19de536239593
[1.0] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3).crl
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[1.0.0] ldap:///CN=ISSUINGCA(3),CN=ISSUINGCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (16)" Time: 0 602626cd40f3cad4ece9b17b505709c3aad26c59
[1.0.1] http://ISSUINGCA.Domain.com/pki/ISSUINGCA(3)+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][3]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=rootCA
NotBefore: 9/22/2021 1:41 PM
NotAfter: 9/22/2026 1:51 PM
Subject: CN=ISSUINGCA, DC=DOMAIN, DC=com
Serial: 1400000011d8721cb3c4e98ab1000100000011
Template: SubCA
Cert: dca0ab2d0af47a16f794f924011a974cb269894d
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
[0.0] http://ISSUINGCA-OLD.domain.org/pki/RootCA_rootCA(1).crt
Verified "Certificate (0)" Time: 0 b054726a8af29e9a9aff1bdd474ea01c002e61c3
[1.0] http://IssuingCA.domain.com/pki/RootCA_rootCA(1).crt
---------------- Certificate CDP ----------------
Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
[0.0] http://ISSUINGCA-OLD.domain.org/pki/rootCA.crl
Verified "Base CRL (0e)" Time: 0 73886d6b38bd35a8547b2bb52f44ec4d06f22778
[1.0] http://IssuingCA.domain.com/pki/rootCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Issuance[0] = 1.3.6.1.4.1.311.21.8.2657365.3421506.8416519.5442337.5312189.261.125075.5566931
CertContext[0][4]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=rootCA
NotBefore: 5/5/2020 2:14 PM
NotAfter: 9/14/2031 12:50 PM
Subject: CN=rootCA
Serial: 49acc47b01c16b944761cfdc1955d700
Cert: b054726a8af29e9a9aff1bdd474ea01c002e61c3
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 5b59450568ae68844c4fffda219ac9de481fbbd6
Full chain:
Chain: 796780d4fefa26bb605ae89a6fcfa0a47338fcdd
Issuer: CN=ISSUINGCA, DC=DOMAIN, DC=com
NotBefore: 9/22/2021 1:44 PM
NotAfter: 9/21/2024 1:44 PM
Subject:
Serial: 1000000129f1681185b1b2c13b100310001021
SubjectAltName: DNS Name=SERVER1.Domain.com
Template: Client Authentication
Cert: 6c0ed83d7d868840db81d2313f9c8ea1e33b8022
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The certificate is not in the revocation server's database. 0x80092014 (-2146885612 CRYPT_E_NOT_IN_REVOCATION_DATABASE)
CertUtil: The certificate is not in the revocation server's database.
CertUtil: -verify command completed successfully.
URL Retrieval Tool:
PKI View: