Hi
I am facing a problem while setting up RADIUS on win2003 server.
I have configured IAS and certificate server as Enterprise Root CA.
Using a third party generated certificates. Placed the root
certificate under "Trusted root certification authorities" and SubCA
under "Intermediate certification root authorities".
Interaction is happening between radius server and client, but
authentication is not successful.
Event viewer shows this error
"The revocation function was unable to check revocation for the
certificate"
I verified the ceritifcates here is the output.
certutil -verify TestDSLGatewayDeviceSubCA_1.cer
Issuer:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Subject:
CN=1
OU=TEST DSL Gateway Device Sub-CA
O=Motorola, Inc.
C=US
Cert Serial Number: 4758774a3b0db6a7cb12b24c301f9349
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=1, OU=TEST DSL Gateway Device Sub-CA, O="Motorola,
Inc.", C=US
Serial: 4758774a3b0db6a7cb12b24c301f9349
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Serial: 47587747377ae079599a48e7215ca69d
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
Full chain:
d5 fe 5a d4 d6 dd a2 d9 e3 0b 8a 6d 8c 2c 7e 9f ee 9e c8 ec
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=1, OU=TEST DSL Gateway Device Sub-CA, O="Motorola,
Inc.", C=US
Serial: 4758774a3b0db6a7cb12b24c301f9349
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
The revocation function was unable to check revocation because the
revocation se
rver was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The
revocation func
tion was unable to check revocation because the revocation server was
offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation
because the rev
ocation server was offline.
CertUtil: -verify command completed successfully.
======================================================================
certutil -verify TestDSLGatewayDeviceRoot.cer
Issuer:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Subject:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Cert Serial Number: 47587747377ae079599a48e7215ca69d
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Serial: 47587747377ae079599a48e7215ca69d
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
|
Similar Threads
