K
Kristin L. Griffin
Hi Folks,
I have been messing around with the PKIView tool to figure out what makes it
tick.
I understand that if I make changes to the AIA and CDP extensions in the
Cert Auth Properties, that I have to re-issue the CAExch cert because PKIView
uses the data in that cert to show status of these locations.
However, I have found something else that makes PKIView show errors. And I
dont understand it.
The error is reproducible.
It has to do with the "Include in the CDP extension of issued certificates"
check box for http URL entries for the CDP extension area of the Cert Auth
Properties.
In the help file it states that you "check this box if you want to use a URL
as a CRL distribution point".
that's confusing. I thought that adding the URLs in the first place showed
users where to get CRL and CA cert files. So why the need for this
additional checkbox?
Anyway, i have 2 entries CDP entries. The registry shows them like this:
7:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
4:http://%1/CertEnroll/%3%8%9.crl
Here is the reproducible error.
I highlight the HTTP URL and check the box to use the URL as a CRL
distribution point, and then refresh PKIView.
I get an error: DeltaCRL Location #2 Unable to download.
This location is pointing to a
file://BIGFIRMCA1.bigfirm.com/certenroll/bigfirm-CA1-CA(6)+.crl
If I right click on the error and choose COPY URL, and paste that in a
browser, I get a file.
If I remove this check box the error goes away.
This does not happen if I check of uncheck this box corresponding to the
LDAP url.
Why on earth is the location pointing to a FILE url anyway? And what is the
connection with this setting?
The certutil -verify urlfetch command output run on the newest CAExch cert
is below too.
Many thanks!
Kristin
PS - I know the verify url.txt file shows a bunch of lines like this:
Wrong Issuer "Certificate (2)" Time: 0
I reissued the CA cert a bunch of times at one point to see what happened.
I assume this is why i am seeing those lines.....
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.BIGFIRM>certutil -verify -urlfetch c:\test4.cer
Issuer:
CN=bigfirm-BIGFIRMCA1-CA
DC=bigfirm
DC=com
Subject:
CN=bigfirm-BIGFIRMCA1-CA-Xchg
DC=bigfirm
DC=com
Cert Serial Number: 6106c8b1000600000057
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Hours, 37 Minutes, 40 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Hours, 37 Minutes, 40 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
NotBefore: 3/4/2008 3:33 PM
NotAfter: 3/11/2008 3:43 PM
Subject: CN=bigfirm-BIGFIRMCA1-CA-Xchg, DC=bigfirm, DC=com
Serial: 6106c8b1000600000057
Template: CAExchange
Template: CA Exchange
bf fa 68 00 46 b3 e6 df 46 47 51 da 2f be 28 b4 e5 09 cc 5d
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (1)" Time: 0
[0.1]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (2)" Time: 0
[0.2]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (3)" Time: 0
[0.3]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (4)" Time: 0
[0.4]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (5)" Time: 0
[0.5]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (6)" Time: 0
[0.6]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0]
http://bigfirmca1.bigfirm.com/CertEnroll/BIGFIRMCA1.bigfirm.com_bigfirm-BIGFIRMCA1-CA(6).c
rt
---------------- Certificate CDP ----------------
Verified "Base CRL (45)" Time: 0
[0.0]
http://bigfirmca1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6).crl
Verified "Delta CRL (45)" Time: 0
[0.0.0]
http://bigfirmca1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
[0.1.0]
file://BIGFIRMCA1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (46)" Time: 0
[0.0]
http://bigfirmca1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file://BIGFIRMCA1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 45:
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
49 71 74 14 32 b5 ee 36 af 2f ed 59 f9 c0 91 83 63 08 5c d2
Delta CRL 46:
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
4f 51 b4 1d b4 a4 8f 09 fc ab a1 01 eb ec 7e 91 cf 24 2b a1
Application[0] = 1.3.6.1.4.1.311.21.5 Private Key Archival
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
NotBefore: 3/4/2008 1:54 PM
NotAfter: 3/5/2013 2:04 PM
Subject: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
Serial: 2ef74929617bd7a744bd687ba6947828
1c 4e 88 de 4c c4 f4 82 bd 36 7c 8f 02 74 c0 1d df 7f 20 66
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
c1 18 ef 26 63 88 38 c6 b7 95 b7 8f 7f 85 79 e5 d8 00 2b f5
Full chain:
a9 10 81 8e 4f ee 69 7b e5 6b 90 64 14 6e 51 52 30 e2 61 ae
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.21.5 Private Key Archival
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
C:\Users\Administrator.BIGFIRM>
I have been messing around with the PKIView tool to figure out what makes it
tick.
I understand that if I make changes to the AIA and CDP extensions in the
Cert Auth Properties, that I have to re-issue the CAExch cert because PKIView
uses the data in that cert to show status of these locations.
However, I have found something else that makes PKIView show errors. And I
dont understand it.
The error is reproducible.
It has to do with the "Include in the CDP extension of issued certificates"
check box for http URL entries for the CDP extension area of the Cert Auth
Properties.
In the help file it states that you "check this box if you want to use a URL
as a CRL distribution point".
that's confusing. I thought that adding the URLs in the first place showed
users where to get CRL and CA cert files. So why the need for this
additional checkbox?
Anyway, i have 2 entries CDP entries. The registry shows them like this:
7:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
4:http://%1/CertEnroll/%3%8%9.crl
Here is the reproducible error.
I highlight the HTTP URL and check the box to use the URL as a CRL
distribution point, and then refresh PKIView.
I get an error: DeltaCRL Location #2 Unable to download.
This location is pointing to a
file://BIGFIRMCA1.bigfirm.com/certenroll/bigfirm-CA1-CA(6)+.crl
If I right click on the error and choose COPY URL, and paste that in a
browser, I get a file.
If I remove this check box the error goes away.
This does not happen if I check of uncheck this box corresponding to the
LDAP url.
Why on earth is the location pointing to a FILE url anyway? And what is the
connection with this setting?
The certutil -verify urlfetch command output run on the newest CAExch cert
is below too.
Many thanks!
Kristin
PS - I know the verify url.txt file shows a bunch of lines like this:
Wrong Issuer "Certificate (2)" Time: 0
I reissued the CA cert a bunch of times at one point to see what happened.
I assume this is why i am seeing those lines.....
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.BIGFIRM>certutil -verify -urlfetch c:\test4.cer
Issuer:
CN=bigfirm-BIGFIRMCA1-CA
DC=bigfirm
DC=com
Subject:
CN=bigfirm-BIGFIRMCA1-CA-Xchg
DC=bigfirm
DC=com
Cert Serial Number: 6106c8b1000600000057
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Hours, 37 Minutes, 40 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Hours, 37 Minutes, 40 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
NotBefore: 3/4/2008 3:33 PM
NotAfter: 3/11/2008 3:43 PM
Subject: CN=bigfirm-BIGFIRMCA1-CA-Xchg, DC=bigfirm, DC=com
Serial: 6106c8b1000600000057
Template: CAExchange
Template: CA Exchange
bf fa 68 00 46 b3 e6 df 46 47 51 da 2f be 28 b4 e5 09 cc 5d
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (1)" Time: 0
[0.1]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (2)" Time: 0
[0.2]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (3)" Time: 0
[0.3]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (4)" Time: 0
[0.4]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (5)" Time: 0
[0.5]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Wrong Issuer "Certificate (6)" Time: 0
[0.6]
ldap:///CN=bigfirm-BIGFIRMCA1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configur
ation,DC=bigfirm,DC=com?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0]
http://bigfirmca1.bigfirm.com/CertEnroll/BIGFIRMCA1.bigfirm.com_bigfirm-BIGFIRMCA1-CA(6).c
rt
---------------- Certificate CDP ----------------
Verified "Base CRL (45)" Time: 0
[0.0]
http://bigfirmca1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6).crl
Verified "Delta CRL (45)" Time: 0
[0.0.0]
http://bigfirmca1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
[0.1.0]
file://BIGFIRMCA1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (46)" Time: 0
[0.0]
http://bigfirmca1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
Failed "CDP" Time: 0
Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
file://BIGFIRMCA1.bigfirm.com/CertEnroll/bigfirm-BIGFIRMCA1-CA(6)+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 45:
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
49 71 74 14 32 b5 ee 36 af 2f ed 59 f9 c0 91 83 63 08 5c d2
Delta CRL 46:
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
4f 51 b4 1d b4 a4 8f 09 fc ab a1 01 eb ec 7e 91 cf 24 2b a1
Application[0] = 1.3.6.1.4.1.311.21.5 Private Key Archival
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
NotBefore: 3/4/2008 1:54 PM
NotAfter: 3/5/2013 2:04 PM
Subject: CN=bigfirm-BIGFIRMCA1-CA, DC=bigfirm, DC=com
Serial: 2ef74929617bd7a744bd687ba6947828
1c 4e 88 de 4c c4 f4 82 bd 36 7c 8f 02 74 c0 1d df 7f 20 66
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
c1 18 ef 26 63 88 38 c6 b7 95 b7 8f 7f 85 79 e5 d8 00 2b f5
Full chain:
a9 10 81 8e 4f ee 69 7b e5 6b 90 64 14 6e 51 52 30 e2 61 ae
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.21.5 Private Key Archival
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
C:\Users\Administrator.BIGFIRM>