Subordinate Certificate Authority fails to start (crypt_e_revocation_offline) under 3rd party root CA

bitor_mk2 · May 8, 2018

I am trying to make Dogtag PKI service run as an offline root Certificate Authority for a windows 2016 subordinate CA.

Starting the CA service fails with events:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" />
<EventID>100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-10T17:13:08.140848700Z" />
<EventRecordID>141311</EventRecordID>
<Correlation />
<Execution ProcessID="6568" ThreadID="4664" />
<Channel>Application</Channel>
<Computer>myserver.mydomain.com</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">bit-APOLLON-CA</Data>
<Data Name="ErrorCode">The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)</Data>
</EventData>
</Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" />
<EventID>48</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-10T17:13:08.137191700Z" />
<EventRecordID>141310</EventRecordID>
<Correlation />
<Execution ProcessID="6568" ThreadID="4664" />
<Channel>Application</Channel>
<Computer>myserer.mydomain.com</Computer>
<Security UserID="S-1-XXX-XXX" />
</System>
- <EventData Name="MSG_W_CA_CERT_REVOCATION_OFFLINE">
<Data Name="CACommonName">bit-APOLLON-CA</Data>
<Data Name="ErrorCode">The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)</Data>
<Data Name="CACertIdentifier">0</Data>
</EventData>
</Event>

Pkiview output:

- bit-Apollon-CA: Error
- CA certificate: OK
- AIA Location #1: OK Welcome to bit.space
- OCSP Location #1: Error Welcome to bit.space

All tabs in PkiView "Manage AD Containers" are OK, except "Enrollment services container".

Certutil verification output:

C:\Users\Administrator>certutil -verify -urlfetch C:\bit-APOLLON-CA.crt
Issuer:
CN=CA Signing Certificate
OU=pki-bitspace
O=BIT
Name Hash(sha1): fc9850eac2899571f018ffce659a1ff63d1618f7
Name Hash(md5): d37dd31467b0857f8105ea06e301a3a8
Subject:
CN=bit-APOLLON-CA
DC=bit
DC=space
Name Hash(sha1): 2d3b619bbc1428a43a9e28b91ae6623d508652c1
Name Hash(md5): d6f791858e157789fce8f1e80e7667b6
Cert Serial Number: 4d

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=CA Signing Certificate, OU=pki-bitspace, O=BIT
NotBefore: 3/10/2018 4:22 PM
NotAfter: 12/21/2036 2:15 AM
Subject: CN=bit-APOLLON-CA, DC=bit, DC=space
Serial: 4d
Cert: 97e65170cfcdb30c85162b8452cb9d24527eb2ab
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] Welcome to bit.space

---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] Welcome to bit.space

--------------------------------

CertContext[0][1]: dwInfoStatus=10a dwErrorStatus=0
Issuer: CN=CA Signing Certificate, OU=pki-bitspace, O=BIT
NotBefore: 12/21/2016 2:15 AM
NotAfter: 12/21/2036 2:15 AM
Subject: CN=CA Signing Certificate, OU=pki-bitspace, O=BIT
Serial: 01
Cert: d3f60d423822c24fb5fa9c7cffcb667b34902cce
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.9 OCSP Signing
OK "OCSP" Time: 0
[0.0] http://dogtag.dogtag.network:8080/ca/ocsp

--------------------------------

Exclude leaf cert:
Chain: 97e65170cfcdb30c85162b8452cb9d24527eb2ab
Full chain:
Chain: 79947988244649744c68fe62edd0a702950e6f65
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Windows 2016 subordinate certificate:

C:\Users\Administrator>certutil -dump C:\bit-APOLLON-CA.crt
X509 Certificate:
Version: 3
Serial Number: 4d
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=CA Signing Certificate
OU=pki-bitspace
O=BIT
Name Hash(sha1): fc9850eac2899571f018ffce659a1ff63d1618f7
Name Hash(md5): d37dd31467b0857f8105ea06e301a3a8

NotBefore: 3/10/2018 4:22 PM
NotAfter: 12/21/2036 2:15 AM

Subject:
CN=bit-APOLLON-CA
DC=bit
DC=space
Name Hash(sha1): 2d3b619bbc1428a43a9e28b91ae6623d508652c1
Name Hash(md5): d6f791858e157789fce8f1e80e7667b6

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 aa 08 c3 d0 ff 09 87
0010 85 0d 5f 8f e5 30 b9 cf 18 12 83 5b f4 9b 8c e2
0020 23 31 83 8f e1 3c 22 e9 8d 3e 8e fc 69 7a d3 65
0030 41 c5 a3 42 fb bd b7 30 28 71 ca aa e0 41 36 10
0040 3f 50 47 7f a1 9b 9e 87 d1 04 8f 98 5c e8 36 04
0050 2a fa be d8 96 23 9b d0 88 2c 43 6f a5 0a 05 c0
0060 98 ea 42 8b 03 a3 37 2d 81 5f 3d e3 af 39 dc 7b
0070 f7 0a a5 b7 9c a4 0f 93 49 56 c8 32 8b 3f a8 11
0080 58 6d 34 cc 51 60 f4 b8 62 02 96 8f cd 2b 51 e5
0090 20 07 af f4 e8 ca 9f 21 cd 7f 0c dc 9d e2 b3 8b
00a0 96 b1 d7 38 8f d5 8c 32 e2 f6 7e 0f 87 c6 97 9c
00b0 a7 f1 82 2f 32 7f 85 76 ef 67 ff 07 35 00 12 33
00c0 70 5b 9f 6f 89 4d d2 e6 47 f7 2c dc df 45 4d a2
00d0 e1 4c da 5c d4 76 88 ac 93 91 c9 4a ec b6 14 4a
00e0 10 8b 42 c3 79 89 ea f1 fa 98 7e f5 cf d1 54 e9
00f0 a6 a5 f0 1d 5f 72 a4 b6 ab 4c 77 ab 33 0d bf 47
0100 6c fa a1 1f 6a b0 7d 31 2b 02 03 01 00 01
Certificate Extensions: 5
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=12 95 e9 59 91 ec da 16 19 62 1a 78 12 65 97 cc d9 80 24 9a

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
b6 38 1b 0f a6 1f b9 ad 87 ef da 18 24 c5 b3 02 3e 3f 30 72

2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None

2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Non-Repudiation, Certificate Signing, Off-line CRL Signing, CRL Signing (c6)

1.3.6.1.5.5.7.1.1: Flags = 0, Length = 86
Authority Information Access
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=Welcome to bit.space
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=Welcome to bit.space

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 3e d1 28 07 51 b7 18 03 b7 4a 8d 33 fc 94 aa 9d
0010 3b 44 13 eb 06 b9 97 b1 10 49 01 db 01 bd 96 be
0020 a2 d6 bb db 39 65 55 84 1f ce 18 92 98 cf 3f 3d
0030 00 d3 17 21 ff 6c 6a a6 45 51 45 44 ca e5 b8 79
0040 ca 20 0d a8 b8 d7 3e c1 8e 13 72 fd 26 be 3f a6
0050 e0 9c 90 35 db 44 bb 28 a2 e8 4f d7 53 59 3c 77
0060 49 f5 a8 37 da c0 2f 6a f9 7e 50 84 1e 36 81 08
0070 ee 09 92 66 57 44 70 4e 2c 01 6f d4 11 28 3d 77
0080 aa 51 1f cd 6f ed 02 bf f2 8b f1 f8 76 d3 e5 cf
0090 60 b0 f7 f6 d1 df 76 26 21 aa 09 d6 13 5c f2 e0
00a0 f1 a8 16 57 b9 55 fe 50 a0 90 dc 20 62 6b 45 e3
00b0 0b 30 ff 4b 7d b2 c6 10 e7 17 88 cf 63 e8 15 87
00c0 9c 37 db 07 c0 b2 c2 84 37 37 9f 7a af 10 f1 1a
00d0 26 28 05 8f 74 f3 ee 6c ba 09 bf 11 dc 72 ce 8e
00e0 6d 5f bf 71 b7 03 f3 04 ed 59 2f 46 85 3a d2 b9
00f0 f1 f4 27 f1 69 9a 53 b0 63 58 87 44 99 c3 26 8c
Non-root Certificate
Key Id Hash(rfc-sha1): b6381b0fa61fb9ad87efda1824c5b3023e3f3072
Key Id Hash(sha1): 4bab56bcb4cc911dba685a5a7b6cce9987b95116
Key Id Hash(md5): eb7b5973c1df973d9ba5176d443d5318
Key Id Hash(sha256): ada1952794135335ea34c9bab3ef196219354ae919c03c6c5c45c40ceeafc8f9
Cert Hash(md5): 1af5eecc0c41711c20c9405b2017439b
Cert Hash(sha1): 97e65170cfcdb30c85162b8452cb9d24527eb2ab
Cert Hash(sha256): 7bfb6b2e16e3a577dae854e967b0082b18ec4edf9ee6a0381df122c14da7b3c7
Signature Hash: d4a16c11b7db1b6dc2c5ff02a9271b534bec82fd562b06191d50f500430d12da
CertUtil: -dump command completed successfully.

Dogtag PKI Root Certificate:

C:\Users\Administrator>certutil -dump "C:\CA Signing Certificate.crt"
X509 Certificate:
Version: 3
Serial Number: 01
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=CA Signing Certificate
OU=pki-bitspace
O=BIT
Name Hash(sha1): fc9850eac2899571f018ffce659a1ff63d1618f7
Name Hash(md5): d37dd31467b0857f8105ea06e301a3a8

NotBefore: 12/21/2016 2:15 AM
NotAfter: 12/21/2036 2:15 AM

Subject:
CN=CA Signing Certificate
OU=pki-bitspace
O=BIT
Name Hash(sha1): fc9850eac2899571f018ffce659a1ff63d1618f7
Name Hash(md5): d37dd31467b0857f8105ea06e301a3a8

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 b7 30 8b 71 6a 80 04
0010 52 49 3d ec 56 c1 95 f8 71 d5 41 f4 9c 55 aa 7d
0020 7f 7b 61 38 11 26 4d b4 a1 80 fc 83 30 df 18 cf
0030 6a 63 2c 05 88 c4 f0 eb f9 5b 97 18 a2 ac d2 69
0040 de d0 a7 32 70 0b 41 b1 72 d1 cb 9c ef 57 dd b5
0050 e3 32 d7 23 91 30 d4 ec 37 fc 68 a2 59 9e db e7
0060 ca bf 22 14 4d 69 fd f6 69 fe 17 8c 6b 8a 7a 2b
0070 fd 2a b8 5b 40 69 28 4e a8 b5 8d 2e 01 66 55 da
0080 59 9d fe 6d 51 a5 86 5f 27 38 4a fc b0 f9 9b 71
0090 21 f1 7c 86 7d 9e cc e4 56 44 8d 41 60 a4 23 78
00a0 3c 92 ad 87 01 bb 3f 6e 0a 9a 3b 3a bb 82 73 7f
00b0 8d ec 6c 3e 28 06 53 0c 40 e1 b6 d1 89 cd 1c 32
00c0 43 65 90 02 fd c7 ab 7e 74 60 e2 20 9f a0 65 68
00d0 c2 e4 92 66 c6 94 e2 77 36 89 98 0a 83 41 e0 4e
00e0 5f 7e 4f 63 9a dc 6a 6c 10 86 9e 0a 44 24 79 bd
00f0 14 9b d6 98 9a 97 ad 47 b9 7d 36 f8 c9 7d ca fe
0100 86 20 32 9e 8f cc 1d bf 21 02 03 01 00 01
Certificate Extensions: 5
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=12 95 e9 59 91 ec da 16 19 62 1a 78 12 65 97 cc d9 80 24 9a

2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None

2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Non-Repudiation, Certificate Signing, Off-line CRL Signing, CRL Signing (c6)

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
12 95 e9 59 91 ec da 16 19 62 1a 78 12 65 97 cc d9 80 24 9a

1.3.6.1.5.5.7.1.1: Flags = 0, Length = 39
Authority Information Access
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://dogtag.dogtag.network:8080/ca/ocsp

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 8e 0d 48 49 78 ed ac 3b 09 2a 5d b9 17 73 82 15
0010 62 7b 93 2f ba 1a 80 5d 53 84 09 d0 20 84 09 5e
0020 b4 00 1e d3 71 1c 1e 3e 24 48 97 1a 19 01 c3 51
0030 0c 21 4e b1 a0 4d e0 84 93 b6 c4 3b 82 64 70 4e
0040 31 53 23 a6 79 98 24 ed 07 1b fc 57 a6 b3 47 92
0050 76 e2 f8 3e 19 74 75 a4 f2 0a 88 f3 72 5c 04 f9
0060 3d 0d 08 fa 7d 25 23 41 97 2b 34 c0 42 54 17 b4
0070 09 6a 38 6d b2 36 f5 55 d3 fd b0 f6 aa 1f ec f1
0080 d3 3e 65 92 b1 4e 32 10 37 c6 0a 9e 38 9f 56 a2
0090 5b 01 8c 5e 5e 2b 8a 68 a3 75 55 35 a9 8f 4a ed
00a0 28 0f 53 a2 ac 09 64 fb db fa 9d da c9 62 c0 75
00b0 42 d2 11 af 55 59 68 6b 12 02 cc b7 9b 96 53 bd
00c0 90 9a fb 80 a2 ee d6 99 30 cb 08 86 3d 0a d9 5b
00d0 13 8b f7 98 fa 6e 54 a9 e6 6f 71 49 c7 fa 69 87
00e0 62 77 b5 69 33 32 16 15 42 3c a7 88 26 61 63 c6
00f0 71 71 d3 08 89 30 0b 0a 99 fc 4b 29 82 cc 7c 42
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 1295e95991ecda1619621a78126597ccd980249a
Key Id Hash(sha1): 6c4395b9dc0c38f6722cda0a29db9008fda1bd42
Key Id Hash(md5): fc29e387dd66be3c64a5ff19e8c45c68
Key Id Hash(sha256): 056d7690b14501b62674fc5f1e388d2e2cfa397789be3070380d3441a7d6f273
Cert Hash(md5): 7765f95599e04c2fc81f14c49ce79f9f
Cert Hash(sha1): d3f60d423822c24fb5fa9c7cffcb667b34902cce
Cert Hash(sha256): bc62635a11ec49e22b7dc8eaa2414edb0dc5301fa1ec57d7df893610f37c5d96
Signature Hash: 825b10d7acf934e92549efc4fca8ff731dc02b277fcf1c4d8145d7f77668883a
CertUtil: -dump command completed successfully.

Continue reading...

Subordinate Certificate Authority fails to start (crypt_e_revocation_offline) under 3rd party root CA

bitor_mk2

Similar threads