Share via

Certificate revocation check fails, server offline

SalutAToi 21 Reputation points
2020-11-09T11:55:52.973+00:00

Hi !

I'm coming to you as my limited PKI knowledge does not help me to solve that issue. I've built a Enterprise PKI and made sure AIA and CDP information were added to certificates and published that information on a web facing server. The CRL and certificates for both the sub CA and root CA are both downloadable from anywhere.

While the CRL check seems to be working for RDP and most applications using LDAPS (or they might just not do it properly, not sure), the revocation check fails on one application. I've performed a CRL check via certutil on the end certificate for the domain controller (LDAPS) via certutil -f –urlfetch -verify, the result is a follows : 

Issuer:
    CN=Company Generic Sub CA 01
    O=Company
    C=AU
  Name Hash(sha1): redacted
  Name Hash(md5): redacted
Subject:
    EMPTY (DNS Name=cc-dc-03.company.local)
  Name Hash(sha1): redacted
  Name Hash(md5): redacted
Cert Serial Number: redacted

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=Company Generic Sub CA 01, O=Company, C=AU
  NotBefore: 7/14/2020 8:07 PM
  NotAfter: 7/14/2021 8:07 PM
  Subject: 
  Serial: redacted
  SubjectAltName: DNS Name=cc-dc-03.company.local
  Template: CC Domain Controller Authentication
  Cert: redacted
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-sca-01.company.local.cer

  ----------------  Certificate CDP  ----------------
  Expected Base CRL "Delta CRL (3f)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-sca-01.company.local.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Company Root CA, O=Company, C=AU
  NotBefore: 7/8/2020 9:47 PM
  NotAfter: 7/6/2030 9:47 PM
  Subject: CN=Company Generic Sub CA 01, O=Company, C=AU
  Serial: a731cfae3cd83f3c
  Template: SubCA
  Cert: 283a0f36c5fe237b551ac632c73fb9177fb58bd0
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.cer

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (1008)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 1008:
    Issuer: CN=Company Root CA, O=Company, C=AU
    ThisUpdate: 7/8/2020 10:04 PM
    NextUpdate: 7/6/2030 10:04 PM
    CRL: redacted

CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: CN=Company Root CA, O=Company, C=AU
  NotBefore: 7/7/2020 10:14 PM
  NotAfter: 7/2/2040 10:14 PM
  Subject: CN=Company Root CA, O=Company, C=AU
  Serial: redacted
  Cert: redacted
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.cer

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (1008)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 1008:
    Issuer: CN=Company Root CA, O=Company, C=AU
    ThisUpdate: 7/8/2020 10:04 PM
    NextUpdate: 7/6/2030 10:04 PM
    CRL: redacted

Exclude leaf cert:
  Chain: redacted
Full chain:
  Chain: redacted
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

I'm guessing it has something to do with " Expected Base CRL "Delta CRL (3f)" ? ADCS is configured to publish the delta CRLs. Don't pay attention to untrusted root, I used the command on an off domain computer which doesn't trust the root ca. EDIT : Ran the command from a domain computer and modified the output above, this is not relevant anymore

If you can help, that'd be great :)

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments
Answer accepted by question author
  1. Vadims Podāns 9,266 Reputation points MVP
    2020-11-09T13:13:25.097+00:00

    I bet that HTTP CDP URL on your issuing CA is does not include <DeltaCRLAllowed> variable in the end of file name. As the result, both Base and Delta CRLs are written to the same file. And Delta CRL overwrites Base CRL, while it is expected to have Base CRL. Update file publication and HTTP URLs and re-publish CRLs. e.g. 

    http://pki.company.com/cc-sca-01.company<CRLNameSuffix><DeltaCRLAllowed>.local.cer

    File publication path should be updated accordingly to include these two variables.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,266 Reputation points MVP
    2020-11-09T12:02:57.947+00:00

    Don't pay attention to untrusted root

    But I would. Because untrusted root always leads to "Revocation Offline" error.

    1 person found this answer helpful.
  2. SalutAToi 21 Reputation points
    2020-11-09T12:09:53.45+00:00

    Here's an updated version that has been run from a domain computer, which trusts the root CA. Thanks for the heads up Crypt32 

    Issuer:
    CN=Company Generic Sub CA 01
    O=Company
    C=AU
  Name Hash(sha1): redacted
  Name Hash(md5): redacted
Subject:
    EMPTY (DNS Name=cc-dc-03.company.local)
  Name Hash(sha1): redacted
  Name Hash(md5): redacted
Cert Serial Number: redacted

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=Company Generic Sub CA 01, O=Company, C=AU
  NotBefore: 7/14/2020 8:07 PM
  NotAfter: 7/14/2021 8:07 PM
  Subject: 
  Serial: redacted
  SubjectAltName: DNS Name=cc-dc-03.company.local
  Template: CC Domain Controller Authentication
  Cert: redacted
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-sca-01.company.local.cer

  ----------------  Certificate CDP  ----------------
  Expected Base CRL "Delta CRL (3f)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-sca-01.company.local.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Company Root CA, O=Company, C=AU
  NotBefore: 7/8/2020 9:47 PM
  NotAfter: 7/6/2030 9:47 PM
  Subject: CN=Company Generic Sub CA 01, O=Company, C=AU
  Serial: a731cfae3cd83f3c
  Template: SubCA
  Cert: 283a0f36c5fe237b551ac632c73fb9177fb58bd0
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.cer

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (1008)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 1008:
    Issuer: CN=Company Root CA, O=Company, C=AU
    ThisUpdate: 7/8/2020 10:04 PM
    NextUpdate: 7/6/2030 10:04 PM
    CRL: redacted

CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: CN=Company Root CA, O=Company, C=AU
  NotBefore: 7/7/2020 10:14 PM
  NotAfter: 7/2/2040 10:14 PM
  Subject: CN=Company Root CA, O=Company, C=AU
  Serial: redacted
  Cert: redacted
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.cer

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (1008)" Time: 0 redacted
    [0.0] http://pki.company.com/cc-rca-01.company.local.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 1008:
    Issuer: CN=Company Root CA, O=Company, C=AU
    ThisUpdate: 7/8/2020 10:04 PM
    NextUpdate: 7/6/2030 10:04 PM
    CRL: redacted

Exclude leaf cert:
  Chain: redacted
Full chain:
  Chain: redacted
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.
    0 comments
  3. FENG CHEN 21 Reputation points
    2022-11-02T17:26:37.537+00:00
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.