certificate revocation error

S

Smita(India)

Hi

I am facing a problem while setting up RADIUS on win2003 server.
I have configured IAS and also certificate server as Enterprise
Root CA.
Using a third party generated certificates. Placed the root
certificate under "Trusted root certification authorities" and SubCA
under "Intermediate certification root authorities".

Interaction is happening between radius server and client, but
authentication is not successful.
Event viewer shows this error

"The revocation function was unable to check revocation for the
certificate"


I verified the ceritifcates here is the output.


certutil -verify TestDSLGatewayDeviceSubCA_1.cer
Issuer:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Subject:
CN=1
OU=TEST DSL Gateway Device Sub-CA
O=Motorola, Inc.
C=US
Cert Serial Number: 4758774a3b0db6a7cb12b24c301f9349

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=1, OU=TEST DSL Gateway Device Sub-CA, O="Motorola,
Inc.", C=US
Serial: 4758774a3b0db6a7cb12b24c301f9349
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Serial: 47587747377ae079599a48e7215ca69d
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
Full chain:
d5 fe 5a d4 d6 dd a2 d9 e3 0b 8a 6d 8c 2c 7e 9f ee 9e c8 ec
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=1, OU=TEST DSL Gateway Device Sub-CA, O="Motorola,
Inc.", C=US
Serial: 4758774a3b0db6a7cb12b24c301f9349
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
The revocation function was unable to check revocation because the
revocation se
rver was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The
revocation func
tion was unable to check revocation because the revocation server was
offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation
because the rev
ocation server was offline.

CertUtil: -verify command completed successfully.

======================================================================

certutil -verify TestDSLGatewayDeviceRoot.cer
Issuer:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Subject:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Cert Serial Number: 47587747377ae079599a48e7215ca69d

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Serial: 47587747377ae079599a48e7215ca69d
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.



Please help me what could be wrong here, I am new to these concepts
 
B

Brian Komar \(MVP\)

The CA is poorly configured and does not include revocation information in
its issued certificates.
If there is no CDP or AIA extensions in the issued certificate, there will
be no revocation information
How do you expect clients to find updated CRLs?
Brian

Smita(India) said:
Hi

I am facing a problem while setting up RADIUS on win2003 server.
I have configured IAS and also certificate server as Enterprise
Root CA.
Using a third party generated certificates. Placed the root
certificate under "Trusted root certification authorities" and SubCA
under "Intermediate certification root authorities".

Interaction is happening between radius server and client, but
authentication is not successful.
Event viewer shows this error

"The revocation function was unable to check revocation for the
certificate"


I verified the ceritifcates here is the output.


certutil -verify TestDSLGatewayDeviceSubCA_1.cer
Issuer:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Subject:
CN=1
OU=TEST DSL Gateway Device Sub-CA
O=Motorola, Inc.
C=US
Cert Serial Number: 4758774a3b0db6a7cb12b24c301f9349

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=1, OU=TEST DSL Gateway Device Sub-CA, O="Motorola,
Inc.", C=US
Serial: 4758774a3b0db6a7cb12b24c301f9349
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Serial: 47587747377ae079599a48e7215ca69d
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
Full chain:
d5 fe 5a d4 d6 dd a2 d9 e3 0b 8a 6d 8c 2c 7e 9f ee 9e c8 ec
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=1, OU=TEST DSL Gateway Device Sub-CA, O="Motorola,
Inc.", C=US
Serial: 4758774a3b0db6a7cb12b24c301f9349
12 d3 c8 f1 ea 39 a0 7c 42 ee c7 2b fa f8 a7 48 3a 08 a4 fa
The revocation function was unable to check revocation because the
revocation se
rver was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The
revocation func
tion was unable to check revocation because the revocation server was
offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation
because the rev
ocation server was offline.

CertUtil: -verify command completed successfully.

======================================================================

certutil -verify TestDSLGatewayDeviceRoot.cer
Issuer:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Subject:
CN=TEST DSL Gateway Device Root Certificate Authority
OU=DSL Gateway Devices
O=Motorola, Inc.
C=US
Cert Serial Number: 47587747377ae079599a48e7215ca69d

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Subject: CN=TEST DSL Gateway Device Root Certificate Authority,
OU=DSL Gateway
Devices, O="Motorola, Inc.", C=US
Serial: 47587747377ae079599a48e7215ca69d
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
71 1c 17 a8 f9 1b be 4f e1 ef 55 4d 00 57 20 57 34 42 11 6c
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.



Please help me what could be wrong here, I am new to these concepts
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

certificate revocation error 0
Kerberos certificate not valid for the requested usage 1
Win2K certificate chain validity problem 11
Can MS Certificate Services create Subordinate CA Certificate? 2
AD and SSL 3
can't get new or renew certs from exchange only after root ca cert expired 2
HttpWebRequest - Server Certificate Validation 1
Got it working! First post from inside Damn Small Linux! Need morehelp pls 32

Top