TinyCA 生成的证书被 Exchange 2013 拒绝

tag-icon tag-icon certificate exchange-2013 certificate-authority
TinyCA 生成的证书被 Exchange 2013 拒绝

我使用 TinyCA2 创建了一个 CA,并为我的 Exchange 2013 服务器创建了一个证书。虽然证书在 Exchange 上安装得很好,但 Exchange 总是显示“吊销检查失败”。(我尝试了 10 个不同的证书)

我的 CRL 在 LAN 上可见,并且可以从 Exchange 服务器上的 Web 浏览器检索该文件。TinyCA2 中设置的 CA 证书列出了“http://myserver.com/crl.pem“作为 CRL。

Exchange shell显示:

Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {newmail.myco.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MyCo, C=CA
NotAfter           : 2/26/2026 9:21:09 PM
NotBefore          : 2/29/2016 9:21:09 PM
PublicKeySize      : 2048
RootCAType         : GroupPolicy
SerialNumber       : 03
Services           : IMAP, POP
Status             : RevocationCheckFailure
Subject            : C=CA, S=Michigan, L=Detroit, O=MYCO, OU=IT3, CN=newmail.myco.com
Thumbprint         : 3EF2C92F4D3747B9

certutil 显示:

  Serial: 04
  SubjectAltName: No alternative name
  06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
The revocation function was unable to check revocation for the certificate. 0x80
092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

我还需要做些什么才能让交易所接受证书吗?为什么 CRL 不被接受?

我们以前有一个 Windows CA,但已将其关闭。尝试切换到 Linux。我是否需要告诉 DC 有关 Windows CA 不再处于活动状态的信息?(Exchange 是否正在检查旧 Windows CA 的 CRL?)

更新:叶证书的“certutil -urlfetch -verify”结果:

Issuer:
    CN=My Company
    C=CA
  Name Hash(sha1): b6b02cfd24a47572f68a85a398322f978989d9ef
  Name Hash(md5): 5333e962243f00751ee6fcf5b62973b9
Subject:
    C=CA
    S=State
    L=City
    O=mydomain
    OU=IT4
    CN=newmail.mydomain.com
  Name Hash(sha1): 1a7840c8a10059e8e2b87e32f32426dd6ad3d60a
  Name Hash(md5): 1b0581a411b0c14d057203950e3aca98
Cert Serial Number: 04

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40
  Issuer: CN=My Company, C=CA
  NotBefore: 2/29/2016 9:45 PM
  NotAfter: 2/26/2026 9:45 PM
  Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
  Serial: 04
  SubjectAltName: No alternative name
  06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: CN=My Company, C=CA
  NotBefore: 2/29/2016 8:17 PM
  NotAfter: 2/26/2026 8:17 PM
  Subject: CN=My Company, C=CA
  Serial: 86278a3832426d41
  SubjectAltName: No alternative name
  353c6f365f9d7b2e623b7c228e937adac5ee3a2b
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
Full chain:
  b8408cac425b1604c28a619181394d7f057607e0
  Issuer: CN=My Company, C=CA
  NotBefore: 2/29/2016 9:45 PM
  NotAfter: 2/26/2026 9:45 PM
  Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
  Serial: 04
  SubjectAltName: No alternative name
  06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
The revocation function was unable to check revocation for the certificate. 0x80
092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

答案1

我不确定您为什么会认为这是 Windows 问题。看起来您有一个有效的证书,但没有吊销信息。验证您的 CRL 是否在线,以及 CRL 是否在证书中。

答案2

对于遇到此问题的其他任何人:TinyCA 创建的证书没有 CRL。虽然这对于大多数 Linux 主机来说没问题,但 Exchange(也许所有现代 Windows 主机)都需要 CRL。因此解决方案是不再使用 TinyCA。相反,尝试 XCA(我确认它可以工作)。

答案3

您可以在 TinyCA2 中配置 crlDistributionPoints。只需打开您的颁发 CA。从菜单中选择“首选项/OpenSSL 配置”。

转到“服务器证书设置”选项卡并添加 crlDistributionPoints。

相关内容