P
Psychoteur
Hello,
so I'm learning ADCS and I have setup a lab. Every went smooth until I tried Enrollment certificate and Recovery Agent.
I googled, read a lot of different articles but I'm stuck. In pkiview, everything is fine, crls and AIA are accesible. The certificates are present in CTAuth ...
The main error is "
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
"
Issuer:
CN=CompanyIssuingCA
DC=company
DC=pri
Name Hash(sha1): edde1fc66ff8815c90428e1a3376c1f08b795498
Name Hash(md5): 5693c1301fce00a6d27dbcc1607a9996
Subject:
CN=root
CN=Users
DC=company
DC=pri
Name Hash(sha1): e98fbb1985574f741b89c52ade672a2f51646b11
Name Hash(md5): 4a59808a6d7021637a8f87603621836c
Cert Serial Number: 4c00000016395ff92112d10148000000000016
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 9 Days, 22 Hours, 23 Minutes, 4 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 9 Days, 22 Hours, 23 Minutes, 4 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
NotBefore: 19/02/2020 13:43
NotAfter: 18/02/2022 13:43
Subject: CN=root, CN=Users, DC=company, DC=pri
Serial: 4c00000016395ff92112d10148000000000016
SubjectAltName: Other Name
rincipal Name=root@company.pri
Template: Company of Enrollment Agent
Cert: 3851d3755103345cbe56688df63961618eb0e5f1
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 b1d720338bbd35670a98a5b1e395c038cea4b256
[0.0] ldap:///CN=CompanyIssuingCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company,DC=pri?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0 b1d720338bbd35670a98a5b1e395c038cea4b256
[1.0] http://s1.company.pri/pki/S1.company.pri_CompanyIssuingCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (01)" Time: 0 a81cc0f96c56b99ada63dfc473f1884f1e7f4a2c
[0.0] http://s1.company.pri/pki/CompanyIssuingCA.crl
Old Base CRL "Delta CRL (01)" Time: 0 a262281fad8d4568d6f1eb86fbab1caeca42b932
[0.0.0] http://s1.company.pri/pki/CompanyIssuingCA+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (0a)" Time: 0 a262281fad8d4568d6f1eb86fbab1caeca42b932
[0.0] http://s1.company.pri/pki/CompanyIssuingCA+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 01:
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
ThisUpdate: 12/02/2020 10:44
NextUpdate: 26/02/2020 23:04
CRL: a81cc0f96c56b99ada63dfc473f1884f1e7f4a2c
Delta CRL 0a:
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
ThisUpdate: 21/02/2020 09:12
NextUpdate: 22/02/2020 21:32
CRL: a262281fad8d4568d6f1eb86fbab1caeca42b932
Application[0] = 1.3.6.1.4.1.311.20.2.1 Certificate Request Agent
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=CompanyRootCA
NotBefore: 11/02/2020 17:13
NotAfter: 11/02/2030 17:23
Subject: CN=CompanyIssuingCA, DC=company, DC=pri
Serial: 3d000000020b0e8d30c0f16c5a000000000002
Template: SubCA
Cert: b1d720338bbd35670a98a5b1e395c038cea4b256
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 d0bec8db5e3e17dbb51504be2484d93e71ae7b63
[0.0] http://s1.company.pri/PKI/CA1_CompanyRootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (02)" Time: 0 229f52d2c556dfdd541207b4888094b77d802271
[0.0] http://s1.company.pri/PKI/CompanyRootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 02:
Issuer: CN=CompanyRootCA
ThisUpdate: 11/02/2020 14:36
NextUpdate: 12/02/2040 02:56
CRL: 229f52d2c556dfdd541207b4888094b77d802271
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=CompanyRootCA
NotBefore: 11/02/2020 10:29
NotAfter: 11/02/2040 10:39
Subject: CN=CompanyRootCA
Serial: 3f971e0aa9a02aa341989423b6f044f8
Cert: d0bec8db5e3e17dbb51504be2484d93e71ae7b63
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Issuance[0] = 1.2.3.4.1455.67.89.5
Exclude leaf cert:
Chain: cfce657574cfc9e7feabefcefe44516888688719
Full chain:
Chain: 251da786afe1515f1a3f9715c3d02e1ca0c0a016
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
NotBefore: 19/02/2020 13:43
NotAfter: 18/02/2022 13:43
Subject: CN=root, CN=Users, DC=company, DC=pri
Serial: 4c00000016395ff92112d10148000000000016
SubjectAltName: Other Namerincipal Name=root@company.pri
Template: Company of Enrollment Agent
Cert: 3851d3755103345cbe56688df63961618eb0e5f1
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
Continue reading...
so I'm learning ADCS and I have setup a lab. Every went smooth until I tried Enrollment certificate and Recovery Agent.
I googled, read a lot of different articles but I'm stuck. In pkiview, everything is fine, crls and AIA are accesible. The certificates are present in CTAuth ...
The main error is "
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
"
Issuer:
CN=CompanyIssuingCA
DC=company
DC=pri
Name Hash(sha1): edde1fc66ff8815c90428e1a3376c1f08b795498
Name Hash(md5): 5693c1301fce00a6d27dbcc1607a9996
Subject:
CN=root
CN=Users
DC=company
DC=pri
Name Hash(sha1): e98fbb1985574f741b89c52ade672a2f51646b11
Name Hash(md5): 4a59808a6d7021637a8f87603621836c
Cert Serial Number: 4c00000016395ff92112d10148000000000016
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 9 Days, 22 Hours, 23 Minutes, 4 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 9 Days, 22 Hours, 23 Minutes, 4 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
NotBefore: 19/02/2020 13:43
NotAfter: 18/02/2022 13:43
Subject: CN=root, CN=Users, DC=company, DC=pri
Serial: 4c00000016395ff92112d10148000000000016
SubjectAltName: Other Name
rincipal Name=root@company.priTemplate: Company of Enrollment Agent
Cert: 3851d3755103345cbe56688df63961618eb0e5f1
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 b1d720338bbd35670a98a5b1e395c038cea4b256
[0.0] ldap:///CN=CompanyIssuingCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company,DC=pri?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0 b1d720338bbd35670a98a5b1e395c038cea4b256
[1.0] http://s1.company.pri/pki/S1.company.pri_CompanyIssuingCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (01)" Time: 0 a81cc0f96c56b99ada63dfc473f1884f1e7f4a2c
[0.0] http://s1.company.pri/pki/CompanyIssuingCA.crl
Old Base CRL "Delta CRL (01)" Time: 0 a262281fad8d4568d6f1eb86fbab1caeca42b932
[0.0.0] http://s1.company.pri/pki/CompanyIssuingCA+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (0a)" Time: 0 a262281fad8d4568d6f1eb86fbab1caeca42b932
[0.0] http://s1.company.pri/pki/CompanyIssuingCA+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 01:
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
ThisUpdate: 12/02/2020 10:44
NextUpdate: 26/02/2020 23:04
CRL: a81cc0f96c56b99ada63dfc473f1884f1e7f4a2c
Delta CRL 0a:
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
ThisUpdate: 21/02/2020 09:12
NextUpdate: 22/02/2020 21:32
CRL: a262281fad8d4568d6f1eb86fbab1caeca42b932
Application[0] = 1.3.6.1.4.1.311.20.2.1 Certificate Request Agent
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=CompanyRootCA
NotBefore: 11/02/2020 17:13
NotAfter: 11/02/2030 17:23
Subject: CN=CompanyIssuingCA, DC=company, DC=pri
Serial: 3d000000020b0e8d30c0f16c5a000000000002
Template: SubCA
Cert: b1d720338bbd35670a98a5b1e395c038cea4b256
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 d0bec8db5e3e17dbb51504be2484d93e71ae7b63
[0.0] http://s1.company.pri/PKI/CA1_CompanyRootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (02)" Time: 0 229f52d2c556dfdd541207b4888094b77d802271
[0.0] http://s1.company.pri/PKI/CompanyRootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 02:
Issuer: CN=CompanyRootCA
ThisUpdate: 11/02/2020 14:36
NextUpdate: 12/02/2040 02:56
CRL: 229f52d2c556dfdd541207b4888094b77d802271
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=CompanyRootCA
NotBefore: 11/02/2020 10:29
NotAfter: 11/02/2040 10:39
Subject: CN=CompanyRootCA
Serial: 3f971e0aa9a02aa341989423b6f044f8
Cert: d0bec8db5e3e17dbb51504be2484d93e71ae7b63
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Issuance[0] = 1.2.3.4.1455.67.89.5
Exclude leaf cert:
Chain: cfce657574cfc9e7feabefcefe44516888688719
Full chain:
Chain: 251da786afe1515f1a3f9715c3d02e1ca0c0a016
Issuer: CN=CompanyIssuingCA, DC=company, DC=pri
NotBefore: 19/02/2020 13:43
NotAfter: 18/02/2022 13:43
Subject: CN=root, CN=Users, DC=company, DC=pri
Serial: 4c00000016395ff92112d10148000000000016
SubjectAltName: Other Name
rincipal Name=root@company.priTemplate: Company of Enrollment Agent
Cert: 3851d3755103345cbe56688df63961618eb0e5f1
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
Continue reading...