A função de revogação não pôde verificar a revogação porque o servidor de revogação estava off-line

1

Eu tenho uma cadeia de certificados: MYROOTCERT - > MYCHILDCERT. O certificado MYCHILDCERT possui uma extensão de ponto de distribuição da CRL:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://pacem/mychildcert.crl

O problema é que não consigo me conectar com este certificado e, quando eu o verifico com o comando certutil -verify, estou recebendo o erro offline do servidor de revogação:

C:\Users\Administrator>certutil -verify -urlfetch C:\Share\mycerts\MYCHILDCERT.c
er
Issuer:
    CN=MYROOTCERT
Subject:
    CN=MYCHILDCERT
Cert Serial Number: 0af7c4fb38ad0bd258fde6356117896519

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
  Issuer: CN=MYROOTCERT
  NotBefore: 1/1/2000 3:00 AM
  NotAfter: 1/1/2500 3:00 AM
  Subject: CN=MYCHILDCERT
  Serial: 0af7c4fb38ad0bd258fde6356117896519
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  OK "Base CRL" Time: 14
    [0.0] http://pacem/mychildcert.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
Missing Issuer: CN=MYROOTCERT
  Issuer: CN=MYROOTCERT
  NotBefore: 1/1/2000 3:00 AM
  NotAfter: 1/1/2500 3:00 AM
  Subject: CN=MYCHILDCERT
  Serial: 0af7c4fb38ad0bd258fde6356117896519
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
A certificate chain could not be built to a trusted root authority. 0x800b010a (
-2146762486)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    CN=MYROOTCERT
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.

Eu verifiquei os logs do IIS e vejo que o arquivo está sendo acessado durante essa verificação:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2017-06-22 16:50:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2017-06-22 16:50:16 fe80::3d38:f18e:f98:acf3%11 GET /mychildcert.crl - 80 - fe80::3d38:f18e:f98:acf3%11 Microsoft-CryptoAPI/6.1 200 0 0 84

Quando eu insiro o URL no navegador, ele faz o download do arquivo. Será que o arquivo CRL em si não é válido? Eu verifiquei as datas e elas parecem estar bem:

Há mais alguma coisa que eu preciso fazer para que a revogação de certificados funcione?

    
por username 21.06.2017 / 19:16

0 respostas