I have a chain of certificates: MYROOTCERT -> MYCHILDCERT. The MYCHILDCERT certificate has a CRL distribution point extension:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://pacem/mychildcert.crl
The problem is that I can't connect with this certificate and when I check it with certutil -verify command I'm getting the revocation server offline error:
C:\Users\Administrator>certutil -verify -urlfetch C:\Share\mycerts\MYCHILDCERT.c
er
Issuer:
CN=MYROOTCERT
Subject:
CN=MYCHILDCERT
Cert Serial Number: 0af7c4fb38ad0bd258fde6356117896519
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
Issuer: CN=MYROOTCERT
NotBefore: 1/1/2000 3:00 AM
NotAfter: 1/1/2500 3:00 AM
Subject: CN=MYCHILDCERT
Serial: 0af7c4fb38ad0bd258fde6356117896519
4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
OK "Base CRL" Time: 14
[0.0] http://pacem/mychildcert.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
Missing Issuer: CN=MYROOTCERT
Issuer: CN=MYROOTCERT
NotBefore: 1/1/2000 3:00 AM
NotAfter: 1/1/2500 3:00 AM
Subject: CN=MYCHILDCERT
Serial: 0af7c4fb38ad0bd258fde6356117896519
4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
A certificate chain could not be built to a trusted root authority. 0x800b010a (
-2146762486)
Incomplete certificate chain
Cannot find certificate:
CN=MYROOTCERT
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.
I checked IIS logs and I see that the file is actually getting accessed during this check:
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2017-06-22 16:50:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2017-06-22 16:50:16 fe80::3d38:f18e:f98:acf3%11 GET /mychildcert.crl - 80 - fe80::3d38:f18e:f98:acf3%11 Microsoft-CryptoAPI/6.1 200 0 0 84
When I enter the URL in browser it downloads file. Could it be that the CRL file itself is not valid? I checked the dates and they seem to be OK:
Is there anything else I need to do to make certificate revocation work?
