Exchange Online & certutil reject CRL with error CRYPT_E_REVOCATION_OFFLINE
Context: a custom CKMS, configured with a Root CA cert and one (relevant) Intermediate CA cert. The Root CA is self-signed (ofc) and trusted on the user device's Cert store (Local Machine).
Problem: Both Exchange Online and certutil give error CRYPT_E_REVOCATION_OFFLINE when validating the certificate (with CRL check)
Extra: We do NOT use ADCS. Both the CRL and AIA cert are returned in DER format. The CRL and CA certs are all valid. The URL Retrieval Tool shows no issues, both AIA and CDP show as 'Verified'. We only support Base CRL, so no naming collisions with Delta CRLs. The CRL contains 0 revoked certificates. In my testing environment the CRL etc. are hosted on a local server (so admin.demo.com resolves to a local ip address).
Result from command "certutil.exe -verify -urlfetch '.\signingca_demo.der'" as run in Powershell:
Issuer:
C=AD
CN=Demo PCA
Name Hash(sha1): d155016f164e81af14ae84d989b7927d5c8b146c
Name Hash(md5): 960a5e7e3d3920f274cc101774339228
Subject:
C=AD
CN=Demo Signing CA
Name Hash(sha1): ab3e610733780cde1d5f5aec581818480c6f2d03
Name Hash(md5): f9785cf81d2b4669eac2a0f2e154aa6e
Cert Serial Number: ab0a47552fac47e4ab91563677e3453f
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: C=AD, CN=Demo PCA
NotBefore: 08/18/2021 14:10
NotAfter: 08/16/2031 15:10
Subject: C=AD, CN=Demo Signing CA
Serial: ab0a47552fac47e4ab91563677e3453f
Cert: 9b37cb4d7dc40a0b05969c26cf63a0f362c6d146
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 8e1a7e57efdbf5834e62b3fcc48001b094c1d17c
[0.0] http://admin.demo.com:8000/ca/1.0.2/primary/8e1a7e57efdbf5834e62b3fcc48001b094c1d17c.crt
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0 bb8a8d5f5de5eab8e4cd58acfad9399adb7999ff
[0.0] http://admin.demo.com/demo_signingca.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: C=AD, CN=Demo PCA
NotBefore: 08/18/2021 14:10
NotAfter: 08/16/2031 15:10
Subject: C=AD, CN=Demo PCA
Serial: 78315e2f662c4612bd698316e32d36fe
Cert: 8e1a7e57efdbf5834e62b3fcc48001b094c1d17c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0 766581c3bd3cbb0693692a5075b2cfec1f2facc2
[0.0] http://admin.demo.com/demo_pca.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 9b37cb4d7dc40a0b05969c26cf63a0f362c6d146
Full chain:
Chain: 07bb1b997d10a1da8d8755fea2c4caac029426ba
Issuer: C=AD, CN=Demo PCA
NotBefore: 08/18/2021 14:10
NotAfter: 08/16/2031 15:10
Subject: C=AD, CN=Demo Signing CA
Serial: ab0a47552fac47e4ab91563677e3453f
Cert: 9b37cb4d7dc40a0b05969c26cf63a0f362c6d146
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
I've (only) sanitized the CA names and URLs for privacy reasons.
The error CRYPT_E_REVOCATION_OFFLINE appears to be misleading as all the contacted endpoints are online and they validate correctly as well. The error does not occur with GlobalSign or DigiCert certificates, so we're trying to find out what our CA does that certutil does not accept.
What could be the cause of the error? And what should/may fix it?