Hi everyone!
I have a requirement, where I need to verify the Revocation Status of a Certificate against a CRL issued from the Certificate Authority. This can be done at real time using OCSP by utilizing the command
"Certuitil.exe -verify -urlfetch Certificatepath".
This works well on Window 7 and Windows Server 2008 R2.
But when we try the same command on Windows Server 2003, the command never returns the status and shows the error below
" The signature of the certificate can not be verified. 0x80096004 (-2146869244)
------------------------------------
CertUtil: -verify command FAILED: 0x80096004 (-2146869244)
CertUtil: The signature of the certificate can not be verified. "
Below is the complete output from the command
Issuer:
CN=<Certification Authority>
OU=<Certification Authorities>
O=Test LLC.
C=US
Subject:
CN=TestCert-valid
OU=Development
O=Test
L=Minneapolis
S=Minnesota
C=US
Cert Serial Number: 2585178a00000000000a
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000048
Issuer: CN=Test Issuing Certification Authority, OU=Test Certification Authorities, O=Test LLC., C=US
Subject: CN=TestSuite1-valid, OU=Development, O=Test, L=Minneapolis, S=Minnesota, C=US
Serial: 2585178a00000000000a
Template: 1.3.6.1.4.1.311.21.8.9714767.7847860.16731308.5494 905.11126283.253.11707544.14004296
8a 98 d5 b6 5d 51 39 bc 62 d6 31 41 5c d9 88 78 f9 cf 0b 32
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] http://pki.Test.net/repository/STestCA.crt
---------------- Certificate CDP ----------------
Wrong Issuer "Base CRL (108)" Time: 0
[0.0] http://pki.Test.net/repository/STestCA.crl
--------------------------------
Issuance[0] = 1.3.6.1.4.1.37583.509.50.1.3
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=2 dwErrorStatus=1000048
Issuer: CN=Test Root Certification Authority, OU=Test Certification Authories, O=Test LLC., C=US
Subject: CN=Test Issuing Certification Authority, OU=Test Certification Authorities, O=Test LLC., C=US
Serial: 11000000086125600ee5b47c13000000000008
e7 03 84 0d 47 02 1f 18 06 98 28 81 47 9e 70 58 8c 4d 49 cb
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] http://pki.Test.net/repository/SSRootCA.crt
---------------- Certificate CDP ----------------
Wrong Issuer "Base CRL (3)" Time: 0
[0.0] http://pki.Test.net/repository/SSRootCA.crl
--------------------------------
CertContext[0][2]: dwInfoStatus=c dwErrorStatus=28
Issuer: CN=Test Root Certification Authority, OU=Test Certification Authories, O=Test LLC., C=US
Subject: CN=Test Root Certification Authority, OU=Test Certification Authories, O=Test LLC., C=US
Serial: 2f9f5fef8094d4ae47303ae9b0c4acf3
f4 a0 8d ce 8c 1f 46 78 e0 0a ee 18 02 66 83 a2 5b 9c 71 a3
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
5d 9f a6 3d 01 5a dc 72 9a 2e 37 33 f3 78 ff 81 22 ef 68 f9
Full chain:
4d a4 62 39 07 85 bd c5 7f eb 64 ac ed 64 03 1e 1b 51 d5 96
Issuer: CN=Test Issuing Certification Authority, OU=Test Certification Authorities, O=Test LLC., C=US
Subject: CN=TestSuite1-valid, OU=Development, O=Test, L=Minneapolis, S=Minnesota, C=US
Serial: 2585178a00000000000a
Template: 1.3.6.1.4.1.311.21.8.9714767.7847860.16731308.5494 905.11126283.253.11707544.14004296
8a 98 d5 b6 5d 51 39 bc 62 d6 31 41 5c d9 88 78 f9 cf 0b 32
The signature of the certificate can not be verified. 0x80096004 (-2146869244)
------------------------------------
CertUtil: -verify command FAILED: 0x80096004 (-2146869244)
CertUtil: The signature of the certificate can not be verified.
If anyone knows how to use Certutil command line tool on Windows server 2003 to verify the certificate revocation status using OCSP, Please Help.
Any help is greatly appreciated.
Thanks a lot in advance.
Vinay