1,922 questions
CRL Checking
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 1%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Richard Stafford
1
Reputation point
I have a customer that is using a commercial application. That applications vendor has provided me and the customer with a self signed certificate. My client application to this customers application is having a connection issue. I see the same connection issues when using curl to the customers endpoint.
C:\Users\A-STAFFRX>curl "https://ua00991d.---.com:18124/"
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
If I load the customers certificate in 'trusted root certification' I get this.
C:\Users\A-STAFFRX>curl "https://ua00991d.---.com:18124/"
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
These are the same responses I get when I try to connect to the customers application from my c# client.
- Can you provide some information about certificates and crl's and how this is suppose to be configured?.
- How are crls's suppose to be managed when using self signed certificates.
- Does the owner of this certificate need to be using a CA instead of self signing the certificate?
- Could there be some configuration on my 2016 windows server that is preventing this connection or not allowing some needed services to operate on this certificate or a crl? The support staff of the commercial application states, other servers connect to their service just fine with the same connection source we are using.
Windows for business Windows Server Devices and deployment Configure application groups
{count} votes
-
Richard Stafford 1 Reputation point
2021-03-03T14:01:55.717+00:00 In looking at the self signed certificate that was provided by vendor. It has no CRL Distribution points defined. Given that what is my client application or curl trying to check?
-
Vadims Podāns 9,186 Reputation points MVP2021-03-03T15:27:03.09+00:00 TLS endpoint uses the certificate that chains up to their provided root certificate. And this certificate has broken CDP URLs. You need to contact your vendor and ask them to fix this issue.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-03-09T05:26:56.797+00:00 Hello @Richard Stafford ,
Thank you for posting here.
Hope the information provided by Crypt32 was helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou -
Richard Stafford 1 Reputation point
2021-03-10T02:40:42.75+00:00 Thank you Daisy. We still have some questions, I'll reply to crypt32.
-
Anonymous
2021-03-10T07:28:56.037+00:00 Hello @Richard Stafford ,
Thank you for your update.
If there is any update, please reply here or share the solution here.
Thank you in advance.
Best Regards,
Daisy Zhou -
Richard Stafford 1 Reputation point
2021-03-11T18:15:45.89+00:00 Thank you for your time to reply Crypt32. I'm collecting some details on the certificate to see if we can identify any broken CDP URL's. Do you know why this certificate would work on some window's servers and not others? What is it that would cause this revocation check error on one server, but not on other window servers?
-
Vadims Podāns 9,186 Reputation points MVP
2021-03-11T22:12:11.17+00:00 Million reasons can cause. It would be better if you could get a certificate on a machine where it fails and run
certutil -verify -urlfetch certfile.ceragainst your certificate and post certutil output. Then we can say more about your issue. -
Vadims Podāns 9,186 Reputation points MVP
2021-03-11T22:14:52.95+00:00 Does the owner of this certificate need to be using a CA instead of self signing the certificate?
absolutely.
I bet that relying party has poor knowledge of PKI and/or misconfigured environment and since you are a consumer, it is their responsibility to make their usage flawless and secure.
-
Richard Stafford 1 Reputation point
2021-03-11T23:45:28.103+00:00 Sending certutil responce in comments. my company is blocking any attachment, Sorry
certutil -verify -urlfetch ftl-trust.pem
Issuer:
CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Name Hash(sha1): ed09a0f9fcd3261398e5fb10a896d6b95c83eb0a
Name Hash(md5): 98ccdc5caaf1b8d92dbc6440b033454a
Subject:
CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Name Hash(sha1): ed09a0f9fcd3261398e5fb10a896d6b95c83eb0a
Name Hash(md5): 98ccdc5caaf1b8d92dbc6440b033454a
Cert Serial Number: 01dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
-
Richard Stafford 1 Reputation point
2021-03-11T23:46:21.197+00:00 SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10a dwErrorStatus=20
Issuer: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
NotBefore: 1/12/2021 6:39 PM
NotAfter: 1/18/2038 10:14 PM
Subject: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Serial: 01
Cert: fabc203530fea0fef067cfd9da258d937a71ab56
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
-
Richard Stafford 1 Reputation point
2021-03-11T23:47:47.037+00:00 Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: fabc203530fea0fef067cfd9da258d937a71ab56
Issuer: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
NotBefore: 1/12/2021 6:39 PM
NotAfter: 1/18/2038 10:14 PM
Subject: CN=TPORT-ROOT:937b76cc-d11b-4d6b-8156-24e410c23d8e
Serial: 01
Cert: fabc203530fea0fef067cfd9da258d937a71ab56A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
Verifies against UNTRUSTED root
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully. -
Vadims Podāns 9,186 Reputation points MVP
2021-03-12T07:07:06.927+00:00 Is this a TLS certificate you get with CURL?
Sign in to comment
Sign in to answer