Active Directory Certificate Services cannot verify certificate chain - Bad Cert Issuer "Base CRL (08)"

-

hi,

installing adcs enteprise issuing ca running on win2008 r2. windows ca sub ca, offline root ca has issued ca certificate.

when trying "install ca certificate" error message displayed:

active directory certificate services cannot verify certificate chain. wish ignore error , continue? revocation function unable check revication because revication server offline. 0x80092013 (-2146885613)

using certutil -verify -urlfetch wincacert.crt shows there´s cdp problem
----------------------------------------
certcontext[0][0]: dwinfostatus=102 dwerrorstatus=1000040
  element.dwinfostatus = cert_trust_has_key_match_issuer (0x2)
  element.dwinfostatus = cert_trust_has_preferred_issuer (0x100)
  element.dwerrorstatus = cert_trust_revocation_status_unknown (0x40)
  element.dwerrorstatus = cert_trust_is_offline_revocation (0x1000000)
  ----------------  certificate cdp  ----------------
  bad cert issuer "base crl (08)" time: 0
    [0.0] http://crl.domain.com/rootca.crl
 
  bad cert issuer "base crl (08)" time: 0
    [1.0] ldap:///cn=rootca,cn=root,cn=cdp,cn=public%20key%20services,cn=services,cn=configura
 
revocation function unable check revocation because revocation server offline. 0x80092013 (-2146885613)
------------------------------------
revocation check skipped -- server offline
cert ca certificate
 
error: verifying leaf certificate revocation status returned revocation function unable check revocation because revocation server offline. 0x80092013 (-2146885613)
certutil: revocation function unable check revocation because revocation server offline.
 
certutil: -verify command completed successfully.
----------------------------------------

in internet explorer, can type in http://crl.domain.com/rootca.crl and download crl, seems reachable.
have imported root ca certificate , crl local certificate store + published them to ad.

suggestions? welcome!
regards, daniel

www.twitter.com/danielullmark

we opened case ms support.

from ms support: issuer field of ca certificate has cert_rdn_utf8_string encoding format while crl signed certificate (appears identical but) has cert_rdn_printable_string encoding format

during certificate chain validation (from end entity trusted root) keyid used create certificate chain , works independently of subject , issuer codification (printablestring or utf8)

during status validation, binary comparison made between certificate issuer , crl issuer, both field must use same codification in order match (printablestring or utf8)

we must re-issue , re-publish crls root ca , make sure encoding of issuer field matches

www.twitter.com/danielullmark



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more