Exchange Online & certutil reject CRL with error CRYPT_E_REVOCATION_OFFLINE

Tim de Haas 6 Reputation points
2021-08-19T09:52:23.633+00:00

Context: a custom CKMS, configured with a Root CA cert and one (relevant) Intermediate CA cert. The Root CA is self-signed (ofc) and trusted on the user device's Cert store (Local Machine).

Problem: Both Exchange Online and certutil give error CRYPT_E_REVOCATION_OFFLINE when validating the certificate (with CRL check)

Extra: We do NOT use ADCS. Both the CRL and AIA cert are returned in DER format. The CRL and CA certs are all valid. The URL Retrieval Tool shows no issues, both AIA and CDP show as 'Verified'. We only support Base CRL, so no naming collisions with Delta CRLs. The CRL contains 0 revoked certificates. In my testing environment the CRL etc. are hosted on a local server (so admin.demo.com resolves to a local ip address).

Result from command "certutil.exe -verify -urlfetch '.\signingca_demo.der'" as run in Powershell:

Issuer:
        C=AD
        CN=Demo PCA
      Name Hash(sha1): d155016f164e81af14ae84d989b7927d5c8b146c
      Name Hash(md5): 960a5e7e3d3920f274cc101774339228
    Subject:
        C=AD
        CN=Demo Signing CA
      Name Hash(sha1): ab3e610733780cde1d5f5aec581818480c6f2d03
      Name Hash(md5): f9785cf81d2b4669eac2a0f2e154aa6e
    Cert Serial Number: ab0a47552fac47e4ab91563677e3453f

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
      Issuer: C=AD, CN=Demo PCA
      NotBefore: 08/18/2021 14:10
      NotAfter: 08/16/2031 15:10
      Subject: C=AD, CN=Demo Signing CA
      Serial: ab0a47552fac47e4ab91563677e3453f
      Cert: 9b37cb4d7dc40a0b05969c26cf63a0f362c6d146
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
      ----------------  Certificate AIA  ----------------
      Verified "Certificate (0)" Time: 0 8e1a7e57efdbf5834e62b3fcc48001b094c1d17c
        [0.0] http://admin.demo.com:8000/ca/1.0.2/primary/8e1a7e57efdbf5834e62b3fcc48001b094c1d17c.crt

      ----------------  Certificate CDP  ----------------
      Verified "Base CRL" Time: 0 bb8a8d5f5de5eab8e4cd58acfad9399adb7999ff
        [0.0] http://admin.demo.com/demo_signingca.crl

      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0 (null)
      --------------------------------

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: C=AD, CN=Demo PCA
      NotBefore: 08/18/2021 14:10
      NotAfter: 08/16/2031 15:10
      Subject: C=AD, CN=Demo PCA
      Serial: 78315e2f662c4612bd698316e32d36fe
      Cert: 8e1a7e57efdbf5834e62b3fcc48001b094c1d17c
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0 (null)
      ----------------  Certificate CDP  ----------------
      Verified "Base CRL" Time: 0 766581c3bd3cbb0693692a5075b2cfec1f2facc2
        [0.0] http://admin.demo.com/demo_pca.crl

      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0 (null)
      --------------------------------

    Exclude leaf cert:
      Chain: 9b37cb4d7dc40a0b05969c26cf63a0f362c6d146
    Full chain:
      Chain: 07bb1b997d10a1da8d8755fea2c4caac029426ba
      Issuer: C=AD, CN=Demo PCA
      NotBefore: 08/18/2021 14:10
      NotAfter: 08/16/2031 15:10
      Subject: C=AD, CN=Demo Signing CA
      Serial: ab0a47552fac47e4ab91563677e3453f
      Cert: 9b37cb4d7dc40a0b05969c26cf63a0f362c6d146
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
    ------------------------------------
    Revocation check skipped -- server offline
    Cert is a CA certificate

    ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
    CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

    CertUtil: -verify command completed successfully.

I've (only) sanitized the CA names and URLs for privacy reasons.

The error CRYPT_E_REVOCATION_OFFLINE appears to be misleading as all the contacted endpoints are online and they validate correctly as well. The error does not occur with GlobalSign or DigiCert certificates, so we're trying to find out what our CA does that certutil does not accept.
What could be the cause of the error? And what should/may fix it?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,320 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,263 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,783 questions
{count} vote