O
octavmarius
Hello,
i have build a windows 2012 RDS farm (a few servers with session host role, connection broker and gateway).
using an internal certificate authority i have installed a wildcard certificate on all of them using the deployment wizard.
all seems to work except certificate validation on the client (where i have installed the root and subordinate CA certificate).
i tried to validate the certificate using certutil but much of the output doesn't make any sense to me. is there anyone that understand the command output and can help me solve the problem ?
Thank,
Marius
Issuer:
CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01
DC=subcompany
DC=company
DC=local
Name Hash(sha1): 7d6b9d90
Name Hash(md5): 0545d7baad
Subject:
CN=*.subcompany.company.local
Name Hash(sha1): 43c68be
Name Hash(md5): 99c91dd
Cert Serial Number: 7a0000002
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 356 Days, 5 Hours, 19 Minutes, 37 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 356 Days, 5 Hours, 19 Minutes, 37 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
NotBefore: 12/21/2018 12:33 AM
NotAfter: 12/21/2019 12:33 AM
Subject: CN=*.subcompany.company.local
Serial: 7a0000002
Template: 1.3.6.1.4.1.311.21.8.3844335.16743750.9392028.6723193.10929484.121.6669609.13871918
Cert: b66fea7
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?cACertificate?base?objectClass=certificationAuthority
Failed "AIA" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://certauth.subcompany.company....OMPANY INTERNAL SUBORDINATE SUBCOMPANY 01.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=certauth,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://certauth.subcompany.company.local/CertEnroll/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01.crl
Verified "Base CRL (c3)" Time: 0 cc56048a625578b5a181516997f7cb72df12336b
[2.0] http://www.company.ro/pki/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01.crl
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
[2.0.0] ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=certauth,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
[2.1.0] http://certauth.subcompany.company.local/CertEnroll/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01+.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=certauth,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://certauth.subcompany.company.local/CertEnroll/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL c3:
Issuer: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
ThisUpdate: 4/5/2019 4:21 AM
NextUpdate: 4/12/2019 6:41 AM
CRL: cc56048a625
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=COMPANY INTERNAL ROOT CA
NotBefore: 9/26/2018 3:00 AM
NotAfter: 9/26/2028 3:10 AM
Subject: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
Serial: 1700000005435
Template: SubCA
Cert: bfc1083d68
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20ROOT%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,cn=configuration,dc=office,dc=company,dc=local?cACertificate?base?objectClass=certificationAuthority
Failed "AIA" Time: 0 (null)
Error retrieving URL: Cannot find the requested object. 0x80092009 (-2146885623 CRYPT_E_NO_MATCH)
http://www.company.ro/pki/certificateca_COMPANY INTERNAL ROOT CA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20ROOT%20CA,CN=CARO,CN=CDP,CN=Public%20Key%20Services,CN=Services,cn=configuration,dc=office,dc=company,dc=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (04)" Time: 0 24c828f4
[1.0] http://www.company.ro/pki/COMPANY INTERNAL ROOT CA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 04:
Issuer: CN=COMPANY INTERNAL ROOT CA
ThisUpdate: 4/19/2018 12:28 AM
NextUpdate: 4/19/2023 12:48 PM
CRL: 24c828f4d3ad
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=COMPANY INTERNAL ROOT CA
NotBefore: 4/19/2018 12:06 AM
NotAfter: 4/19/2038 12:16 AM
Subject: CN=COMPANY INTERNAL ROOT CA
Serial: 1604400faa77
Cert: 2e842eba39
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 0a473dbbaa5c
Full chain:
Chain: ed251c1712048f
Issuer: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
NotBefore: 12/21/2018 12:33 AM
NotAfter: 12/21/2019 12:33 AM
Subject: CN=*.subcompany.company.local
Serial: 7a0000002
Template: 1.3.6.1.4.1.311.21.8.3844335.16743750.9392028.6723193.10929484.121.6669609.13871918
Cert: b66fea7
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
Continue reading...
i have build a windows 2012 RDS farm (a few servers with session host role, connection broker and gateway).
using an internal certificate authority i have installed a wildcard certificate on all of them using the deployment wizard.
all seems to work except certificate validation on the client (where i have installed the root and subordinate CA certificate).
i tried to validate the certificate using certutil but much of the output doesn't make any sense to me. is there anyone that understand the command output and can help me solve the problem ?
Thank,
Marius
Issuer:
CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01
DC=subcompany
DC=company
DC=local
Name Hash(sha1): 7d6b9d90
Name Hash(md5): 0545d7baad
Subject:
CN=*.subcompany.company.local
Name Hash(sha1): 43c68be
Name Hash(md5): 99c91dd
Cert Serial Number: 7a0000002
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 356 Days, 5 Hours, 19 Minutes, 37 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 356 Days, 5 Hours, 19 Minutes, 37 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
NotBefore: 12/21/2018 12:33 AM
NotAfter: 12/21/2019 12:33 AM
Subject: CN=*.subcompany.company.local
Serial: 7a0000002
Template: 1.3.6.1.4.1.311.21.8.3844335.16743750.9392028.6723193.10929484.121.6669609.13871918
Cert: b66fea7
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?cACertificate?base?objectClass=certificationAuthority
Failed "AIA" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://certauth.subcompany.company....OMPANY INTERNAL SUBORDINATE SUBCOMPANY 01.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=certauth,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://certauth.subcompany.company.local/CertEnroll/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01.crl
Verified "Base CRL (c3)" Time: 0 cc56048a625578b5a181516997f7cb72df12336b
[2.0] http://www.company.ro/pki/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01.crl
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
[2.0.0] ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=certauth,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
[2.1.0] http://certauth.subcompany.company.local/CertEnroll/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01+.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20SUBORDINATE%20SUBCOMPANY%2001,CN=certauth,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subcompany,DC=company,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 (null)
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://certauth.subcompany.company.local/CertEnroll/COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL c3:
Issuer: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
ThisUpdate: 4/5/2019 4:21 AM
NextUpdate: 4/12/2019 6:41 AM
CRL: cc56048a625
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=COMPANY INTERNAL ROOT CA
NotBefore: 9/26/2018 3:00 AM
NotAfter: 9/26/2028 3:10 AM
Subject: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
Serial: 1700000005435
Template: SubCA
Cert: bfc1083d68
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20ROOT%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,cn=configuration,dc=office,dc=company,dc=local?cACertificate?base?objectClass=certificationAuthority
Failed "AIA" Time: 0 (null)
Error retrieving URL: Cannot find the requested object. 0x80092009 (-2146885623 CRYPT_E_NO_MATCH)
http://www.company.ro/pki/certificateca_COMPANY INTERNAL ROOT CA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0 (null)
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
ldap:///CN=COMPANY%20INTERNAL%20ROOT%20CA,CN=CARO,CN=CDP,CN=Public%20Key%20Services,CN=Services,cn=configuration,dc=office,dc=company,dc=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (04)" Time: 0 24c828f4
[1.0] http://www.company.ro/pki/COMPANY INTERNAL ROOT CA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 04:
Issuer: CN=COMPANY INTERNAL ROOT CA
ThisUpdate: 4/19/2018 12:28 AM
NextUpdate: 4/19/2023 12:48 PM
CRL: 24c828f4d3ad
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=COMPANY INTERNAL ROOT CA
NotBefore: 4/19/2018 12:06 AM
NotAfter: 4/19/2038 12:16 AM
Subject: CN=COMPANY INTERNAL ROOT CA
Serial: 1604400faa77
Cert: 2e842eba39
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 0a473dbbaa5c
Full chain:
Chain: ed251c1712048f
Issuer: CN=COMPANY INTERNAL SUBORDINATE SUBCOMPANY 01, DC=subcompany, DC=company, DC=local
NotBefore: 12/21/2018 12:33 AM
NotAfter: 12/21/2019 12:33 AM
Subject: CN=*.subcompany.company.local
Serial: 7a0000002
Template: 1.3.6.1.4.1.311.21.8.3844335.16743750.9392028.6723193.10929484.121.6669609.13871918
Cert: b66fea7
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
Continue reading...