我正在尝试发布已撤销的证书,但在使用证书颁发机构控制台时出现未知故障:
事件查看器中的应用程序日志:
它说:Active Directory 证书服务无法将密钥 0 的 Delta CRL 发布到以下位置:ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com。操作中止 0x80004004 (-2147467260 E_ABORT)。
我使用 JXplorer 搜索 LDAP:“CN=ad-WIN-TJO4EL48O29-CA、CN=WIN-TJO4EL48O29、CN=CDP、CN=Public Key Services、CN=Services、CN=Configuration、DC=ad、DC=testdomain、DC=com”并设法找到 CRL:
以下是已颁发的叶证书:
certutil -verify -urlfetch C:\Users\Administrator.WIN-TJO4EL48O29\Desktop\Legacy-Crypto-Prov-aduser1-cert-1.cer
Issuer:
CN=ad-WIN-TJO4EL48O29-CA
DC=ad
DC=testdomain
DC=com
Name Hash(sha1): 220e2a04c1eb8be0bfcf76501038643e5a116101
Name Hash(md5): 94dcd520c11b2c4a2327043bda098d3c
Subject:
CN=aduser1 ta1. test
CN=Users
DC=ad
DC=testdomain
DC=com
Name Hash(sha1): b293b40fdd091f568d04b8bbef3b91c1344cee26
Name Hash(md5): 528c81260b6dd49cb7867d03560e6ad1
Cert Serial Number: 750000000dea8d80286ceaef9300000000000d
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Minutes, 6 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Minutes, 6 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
NotBefore: 10/5/2022 5:28 PM
NotAfter: 10/4/2024 5:28 PM
Subject: CN=aduser1 ta1. test, CN=Users, DC=ad, DC=testdomain, DC=com
Serial: 750000000dea8d80286ceaef9300000000000d
SubjectAltName: Other Name:Principal [email protected]
Template: SC2
Cert: a2aff7c45cc99de276b3774a31c1b186f749aaa9
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 6143121a80ec40fd187470ae48a894919a4109d5
[0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Expired "Base CRL (02)" Time: 0 f9619fc274c3d3321d22169586c5f9bd753ce7c2
[0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Expired "Delta CRL (02)" Time: 0 1cdc3316dbdc3a2188d0a0c4a872ba85679e516e
[0.0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
Expired "Delta CRL (02)" Time: 0 1cdc3316dbdc3a2188d0a0c4a872ba85679e516e
[0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Delta CRL (16)" Time: 0 a547d441246d10f21f5e177f670d7b6539a68cf6
[1.0] http://WIN-TJO4EL48O29.ad.testdomain.com/CertEnroll/ad-WIN-TJO4EL48O29-CA+.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
CRL 16:
Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
ThisUpdate: 10/7/2022 1:45 PM
NextUpdate: 10/15/2022 2:05 AM
CRL: 2e21644c799a4059ef2ed1b0152f092d55b1390c
Delta CRL 16:
Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
ThisUpdate: 10/7/2022 1:45 PM
NextUpdate: 10/9/2022 2:05 AM
CRL: a547d441246d10f21f5e177f670d7b6539a68cf6
Application[0] = 1.3.6.1.4.1.44986.2.1.1 Smartcard Logon PIV Key 9A
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
NotBefore: 8/20/2022 2:57 PM
NotAfter: 8/20/2032 3:07 PM
Subject: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
Serial: 786d96c2eb685a82477cc3154193d4a8
Cert: 6143121a80ec40fd187470ae48a894919a4109d5
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 3d88e70e09134d31c82a24115dea8f343c0c3021
Full chain:
Chain: 07855df296396ba2d1a9a7c114f132f9176b6627
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.44986.2.1.1 Smartcard Logon PIV Key 9A
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
错误的原因是什么?我该如何解决?
答案1
我找到了答案。这是一个损坏的目录服务 ntds 数据库。应用程序和服务日志 \ 目录服务日志文件中的日志条目指向 ntds 数据库已损坏。
它恢复了 NTDS 数据库,我可以再次正确发布 CRL。
PKIView 显示工作设置:
感谢那些试图为我指明正确方向的人,尽管我最没想到会遇到 ntds 数据库损坏的情况。