Vadims Podans
Vadims Podans 28.06.2011 16:42 (GMT+3) Root Certification Authority (CA) CDP and AIA extension question

You expereince this issue because your subordinate CA has existing cached CRL. The cached CRL is not updated until it expires. Therefore you need either: 1) install new CRL to the local store (on the Sub CA); 2) instruct Sub CA server to enforce cached CRL update by running the following commands: certutil -urlcache CRL delete certutil �setreg chain\ChainCacheResyncFiletime @now

Kojo
Kojo 26.06.2011 17:45 (GMT+3) Root Certification Authority (CA) CDP and AIA extension question

Hi Vadims. First of all, great article. It cleared some misunderstandings. Nevertheless, I have a question. I have 2 Tier PKI. Windows 2008 R2 STD is Offline RootCA. I issued one certificate for Subordinate Enterprise CA on Windows 2008 R2 ENT. When I have revoked Subordinate certificate from RootCA, on a Subordinate created a new request and processed it on a RootCA. Installed newly issued certificate to the Subordinate and I copied CRL from offline RooCA to the online location defined using MMC snapin (location is defined on RootCA). When I clikc PROPERTIES on SUBORDINATE CA in MMC, on CERTIFICATES TAB I see two certificates. "Certificate #0" and "Certificate #1". Certificate #0 status says STATUS OK and it should be revoced. I have confirmed that online location of RootCA's CRL can be accessed without errors. Tried to publish RootCA's CRL using "certutil -dspublih -f crlname.crl", but keep getting error "Required CDP extension is missing". I typed this command on Subordinate CA. How to resolve this? TNX

Vadims Podans
Vadims Podans 07.05.2011 02:36 (GMT+3) The case of SSTP VPN with public certificate and error 0x80092013

You have posted a trace against your CA certificate. But I need trace against SSTP SSL certificate. p.s. on a main page you can find contact information under my picture.

Robin Pichon-Varin
Robin Pichon-Varin 05.05.2011 22:27 (GMT+3) The case of SSTP VPN with public certificate and error 0x80092013

Thanks for your answer. Here is the output of the certutil command. I don't have your mail. Maybe it'd be easier to send you the results. ?metteur: CN=qo-PERSEPHONE-CA DC=qo DC=fr Objet: CN=qo-PERSEPHONE-CA DC=qo DC=fr Num?ro de s?rie du certificat : 2d04b1d625ddf2874ce57bd7aab578df dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=qo-PERSEPHONE-CA, DC=qo, DC=fr NotBefore: 03/05/2011 14:47 NotAfter: 03/05/2021 14:57 Subject: CN=qo-PERSEPHONE-CA, DC=qo, DC=fr Serial: 2d04b1d625ddf2874ce57bd7aab578df 97 1d 0c bb c2 fb da 94 41 f5 cb 9d c7 8e 84 3b b5 2a ac 44 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA de certificat ---------------- Pas d�URL "Aucun" Heure : 0 ---------------- CDP de certificat ---------------- Pas d�URL "Aucun" Heure : 0 ---------------- Protocole OCSP du certificat ---------------- Pas d�URL "Aucun" Heure : 0 -------------------------------- Exclude leaf cert: da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 Full chain: 97 1d 0c bb c2 fb da 94 41 f5 cb 9d c7 8e 84 3b b5 2a ac 44 ------------------------------------ Strat?gies d�?missions v?rifi?es: Tous Strat?gies d�application v?rifi?es: Tous Cert est un certificat d�autorit? de certification ERREUR : la v?rification de l�?tat de r?vocation du certificat feuille a renvoy? La fonction de r?vocation n�a pas pu v?rifier la r?vocation car le serveur de r?vocation ?tait d?connect?. 0x80092013 (-2146885613) CertUtil: La fonction de r?vocation n�a pas pu v?rifier la r?vocation car le serveur de r?vocation ?tait d?connect?. CertUtil: -verify La commande s�est termin?e correctement.

Vadims Pod?ns
Vadims Pod?ns 05.05.2011 03:54 (GMT+3) The case of SSTP VPN with public certificate and error 0x80092013

can you show me an output of the command 'certutil -verify -urlfetch file.cer', where file.cer is your VPN server certificate. You need to run this command on the public client (that throws error). You can email me results. The problem can be caused due of root certificate trust issue. By default corporate CAs (that are instelled in your AD forest) are automatically trusted by domain members, but not members outside your forest.