Tech Support > Microsoft Windows > Windows Server > Certificate Revocation Status Unavailable
Certificate Revocation Status Unavailable
Posted by jaywinks@charter.net on June 29th, 2005


I have a two-tier CA heirarchy with an offline root and an subordinate
(both 2003 SP1) who both publish CRLs which are available via a common
folder on an anonymous web server. The CRLs for both are available and
current, yet IE with revocation checking turned on returns the error
that the revocation status is unavailable. I saw where someone else had
had a similar problem and the request came for them to use "certutil
-verify -urlfetch ProblemCert.cer" to run down the problem. They never
did, but I decided to try it for my problem. I was overwhelmed with the
verbosity. Can someone help me decipher what part of the CRLs and or
AIAs is missing that is needed to make that dang warning dialog go
away? I'd really owe ya.

here is the output, slightly fictionalized

certutil -verify -urlfetch webmail.cer
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Issuer:
CN=CorSM-1
DC=MyCorp
DC=com
Subject:
E=postmaster@MyCorp.com
CN=webmail.MyCorp.com
OU=HQ
O=MyCorp Corporation
L=Anytown
S=California
C=US
Cert Serial Number: 6250a1ec000200000009

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN
(0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)
ChainContext.dwRevocationFreshnessTime: 4 Days, 18 Hours, 23 Minutes,
14 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION
(0x1000000)
SimpleChain.dwRevocationFreshnessTime: 4 Days, 18 Hours, 23 Minutes, 14
Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=CorSM-1, DC=MyCorp, DC=com
Subject: E=postmaster@MyCorp.com, CN=webmail.MyCorp.com, OU=HQ,
O=MyCorp Corporation, L=Anytown, S=California, C=US
Serial: 6250a1ec000200000009
Template: WebServer
ab 66 79 0a ec ed 64 21 3c ac 07 43 fe 22 47 b8 c2 9a 52 01
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://netinfo.MyCorp.com/services/PKI/AIAs/CorSM-1.crt

---------------- Certificate CDP ----------------
Verified "Base CRL (189)" Time: 0
[0.0] http://netinfo.MyCorp.com/Services/PKI/CRLs/CorSM-1.crl

Old Base CRL "Delta CRL (189)" Time: 0
[0.0.0] http://netinfo.MyCorp.com/services/pki/CRLs/CorSM-1.crl

---------------- Base CRL CDP ----------------
OK "Base CRL (189)" Time: 0
[0.0] http://netinfo.MyCorp.com/services/pki/CRLs/CorSM-1.crl

Old Base CRL "Delta CRL (189)" Time: 0
[0.0.0] http://netinfo.MyCorp.com/services/pki/CRLs/CorSM-1.crl

--------------------------------
CRL 189:
Issuer: CN=CorSM-1, DC=MyCorp, DC=com
b7 fe 0a 7c 5c dd 90 ef c5 aa 54 bb dc 70 15 74 61 d0 f6 32
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA.MyCorp.com
Subject: CN=CorSM-1, DC=MyCorp, DC=com
Serial: 617671eb000100000004
Template: SubCA
5c 8f 2c e2 2d d3 e8 52 73 5c 71 e6 7e f6 fa e1 bb eb dd c8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://netinfo.MyCorp.com/services/PKI/AIAs/RootCA.crt

---------------- Certificate CDP ----------------
Verified "Base CRL (3)" Time: 0
[0.0]
http://netinfo.MyCorp.com/Services/P...MyCorp.com.crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 3:
Issuer: CN=RootCA.MyCorp.com
38 e6 59 5b ac e6 6e 71 5a 79 18 5c 8f 1c f0 bd 94 6c 8d 32

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA.MyCorp.com
Subject: CN=RootCA.MyCorp.com
Serial: 5a71c33e177106b74ce28dd7730e3aac
8a 2f 59 43 fa e4 47 20 19 56 2f 9c 12 9a 7d 40 53 0d 2d e4
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (3)" Time: 0
[0.0]
http://netinfo.MyCorp.com/Services/P...MyCorp.com.crl

--------------------------------

Exclude leaf cert:
dc f9 85 6e 85 5a be ae f1 6d 38 2b 9e 4e b8 07 ac 8a 2a a7
Full chain:
80 86 ff d6 fd fc 4a 82 28 ca 46 a3 9b 89 c1 93 75 fa bb ca
Issuer: CN=CorSM-1, DC=MyCorp, DC=com
Subject: E=postmaster@MyCorp.com, CN=webmail.MyCorp.com, OU=HQ,
O=MyCorp Corporation, L=Anytown, S=California, C=US
Serial: 6250a1ec000200000009
Template: WebServer
ab 66 79 0a ec ed 64 21 3c ac 07 43 fe 22 47 b8 c2 9a 52 01
The revocation function was unable to check revocation because the
revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
419.3401.0: 0x80092013 (-2146885613)
Revocation check skipped -- server offline

ERROR: Verifying leaf certificate revocation status returned The
revocation function was unable to check revocation because the
revocation server
was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation
because the revocation server was offline.


Similar Posts