Why is my certificate not being validated?
To track down your issue I suggest you use certutil.exe
to verify your certificate and see the steps being taken. See here for an example:
As you mentioned, your problem turned out to be with the CRL being expired. Here are some links that talk about CRLs, and how to publish/reissue them.
http://technet.microsoft.com/en-us/library/cc737180(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc782041(v=ws.10).aspx
Alexandru
"To avoid criticism, say nothing, do nothing, be nothing." - Aristotle "It is wise to direct your anger towards problems - not people; to focus your energies on answers - not excuses." - William Arthur Ward "Science does not know its debt to imagination." - Ralph Waldo Emerson "Money was never a big motivation for me, except as a way to keep score. The real excitement is playing the game." - Donald Trump "All our dreams can come true, if we have the courage to pursue them." - Walt Disney "Mitch flashes back to a basketball game held in the Brandeis University gymnasium in 1979. The team is doing well and chants, 'We're number one!' Morrie stands and shouts, 'What's wrong with being number two?' The students fall silent." - Tuesdays with Morrie
Updated on June 04, 2022Comments
-
Alexandru almost 2 years
I have a certificate server on a network with two servers that come before it in the chain, so when I view the Certification Path of my certificate in MMC, I see two certificates above it. Originally, validating this certificate did not work because there was an error with revocation during my custom validator using the X509Chain.Build() method. So, since I realized my generated certificate did not contain any CRL distribution points, I made the certificate server generate them, so now using the checkbox, "Include in the CDP extension of issued certificates" in my certificate server, the certificate server generates an HTTP CRL distribution point for this certificate and I see it. I can even access the URL it contains and download the CRL file. The problem now, is that while I try validating this certificate in my service application running under the local system account, I get the following error in the X509Chain.ChainStatus list after issuing an X509Chain build:
Status: OfflineRevocation StatusInformation: The revocation function was unable to check revocation because the revocation server was offline.
Using a console application running under my administrator account, I get the following error:
Status: RevocationStatusUnknown StatusInformation: The revocation function was unable to check revocation for the certificate.
Does anyone have some ideas on what I can try next to get revocation to work for my certificate so that I can actually validate it? I don't seem to have any issues pinging my certificate server, either.
-
Alexandru over 10 yearsFor those of you out there, I also set up publish paths on the CA's extensions, so you might wanna do that too before you publish your revocation lists.
-
Khaleel Hmoz over 7 yearsI have the same exact issue, my result from the certutil contiains Missing Issuer = "CN=testRoot8" Incomplete certificate chain Cannot find certificate: CN=testRoot8 Cannot check leaf certificate revocation status ... And no idea what I'm missing