由于撤销服务器处于离线状态,撤销功能无法检查撤销

tag-icon tag-icon certificate crl verification
由于撤销服务器处于离线状态,撤销功能无法检查撤销

我有一系列证书:MYROOTCERT -> MYCHILDCERT。MYCHILDCERT 证书具有 CRL 分发点扩展:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://pacem/mychildcert.crl

问题是我无法连接该证书,当我使用 certutil -verify 命令检查它时,我收到撤销服务器离线错误:

C:\Users\Administrator>certutil -verify -urlfetch C:\Share\mycerts\MYCHILDCERT.c
er
Issuer:
    CN=MYROOTCERT
Subject:
    CN=MYCHILDCERT
Cert Serial Number: 0af7c4fb38ad0bd258fde6356117896519

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
  Issuer: CN=MYROOTCERT
  NotBefore: 1/1/2000 3:00 AM
  NotAfter: 1/1/2500 3:00 AM
  Subject: CN=MYCHILDCERT
  Serial: 0af7c4fb38ad0bd258fde6356117896519
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  OK "Base CRL" Time: 14
    [0.0] http://pacem/mychildcert.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
Missing Issuer: CN=MYROOTCERT
  Issuer: CN=MYROOTCERT
  NotBefore: 1/1/2000 3:00 AM
  NotAfter: 1/1/2500 3:00 AM
  Subject: CN=MYCHILDCERT
  Serial: 0af7c4fb38ad0bd258fde6356117896519
  4f 05 df 0f 85 1a 72 48 07 7a ae 2c 3e cd 09 6b cb 0e 1b fc
A certificate chain could not be built to a trusted root authority. 0x800b010a (
-2146762486)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    CN=MYROOTCERT
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.

我检查了 IIS 日志,发现该文件在检查过程中确实被访问了:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2017-06-22 16:50:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2017-06-22 16:50:16 fe80::3d38:f18e:f98:acf3%11 GET /mychildcert.crl - 80 - fe80::3d38:f18e:f98:acf3%11 Microsoft-CryptoAPI/6.1 200 0 0 84

当我在浏览器中输入 URL 时,它会下载文件。可能是 CRL 文件本身无效?我检查了日期,它们似乎没问题:

我还需要做什么才能使证书撤销起作用吗?

相关内容