CRL 吊销检查失败

Question

crl 吊销检查问题。\n我可以在端口 80 上远程登录目标服务器。\n我可以使用 Internet Explorer 下载 crl。\n但是当我启动 certutil 时：

\n\n

C:\\Users\\Administrateur\\Desktop>certutil -urlfetch -verify alex.cer\n\xc3\x89metteur:\n    CN=get-SRV-DC-CA\n    DC=dom\n    DC=com\n  Hachage du nom (sha1) : a62888b8b494cc72d5b50a3401da695e28922316\n  Hachage du nom (md5) : c8c269fb24c05cd48f07ec444fa63f93\nObjet:\n    E=A.NOM@domaineexch.com\n    CN=NOM Alexandre\n  Hachage du nom (sha1) : facbf33942c29a333aeea9ade9db538d3d530ff7\n  Hachage du nom (md5) : 01deefd4ec4bfb2d5bc80ed8221e486a\nNum\xc3\xa9ro de s\xc3\xa9rie du certificat : 67f0382100000000a51b\n\ndwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)\ndwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)\nChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)\nHCCE_LOCAL_MACHINE\nCERT_CHAIN_POLICY_BASE\n-------- CERT_CHAIN_CONTEXT --------\nChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)\nChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)\nChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)\nChainContext.dwRevocationFreshnessTime: 5 Days, 47 Minutes, 28 Seconds\n\nSimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)\nSimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)\nSimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)\nSimpleChain.dwRevocationFreshnessTime: 5 Days, 47 Minutes, 28 Seconds\n\nCertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040\n  Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com\n  NotBefore: 01/03/2019 15:05\n  NotAfter: 29/02/2020 15:05\n  Subject: E=A.NOM@domaineexch.com, CN=NOM Alexandre\n  Serial: 67f0382100000000a51b\n  SubjectAltName: Autre nom :Nom principal=LOGIN@mailinterne.com\n  Template: 1.3.6.1.4.1.311.21.8.11025665.8001721.14437036.989286.1368235.196.5905011.1016426\n  Cert: 9b28759fd75d66d04ad135b17ea93f541ace19f6\n  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)\n  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)\n  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)\n  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)\n  ----------------  AIA de certificat  ----------------\n  \xc3\x89chec "AIA" Heure : 0 (null)\n    Erreur lors de la r\xc3\xa9cup\xc3\xa9ration de l\xe2\x80\x99URL : La ressource ou le p\xc3\xa9riph\xc3\xa9rique r\xc3\xa9seau sp\xc3\xa9cifi\xc3\xa9 n\xe2\x80\x99est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)\n    ldap:///CN=get-SRV-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?cACertificate?base?objectClass=certificationAuthority\n\n  V\xc3\xa9rifi\xc3\xa9 "Certificat (0)" Heure : 0 b3d1bb3362ec43aedafe4c3868805db4fcda5748\n    [1.0] http://SRV-DC.domain.com/CertEnroll/SRV-DC.domain.com_get-SRV-DC-CA.crt\n\n  ----------------  CDP de certificat  ----------------\n  \xc3\x89chec "CDP" Heure : 0 (null)\n    Erreur lors de la r\xc3\xa9cup\xc3\xa9ration de l\xe2\x80\x99URL : La ressource ou le p\xc3\xa9riph\xc3\xa9rique r\xc3\xa9seau sp\xc3\xa9cifi\xc3\xa9 n\xe2\x80\x99est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)\n    ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint\n\n  V\xc3\xa9rifi\xc3\xa9 "Liste de r\xc3\xa9vocation des certificats de base (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9\n    [1.0] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl\n\n  \xc3\x89chec "CDP" Heure : 0 (null)\n    Erreur lors de la r\xc3\xa9cup\xc3\xa9ration de l\xe2\x80\x99URL : La ressource ou le p\xc3\xa9riph\xc3\xa9rique r\xc3\xa9seau sp\xc3\xa9cifi\xc3\xa9 n\xe2\x80\x99est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)\n    [1.0.0] ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint\n\n  Ancienne liste de r\xc3\xa9vocation des certificats de base "Liste de r\xc3\xa9vocation des certificats delta (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9\n    [1.0.1] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl\n\n  ----------------  CDP de liste de r\xc3\xa9vocation des certificats de base  ----------------\n  \xc3\x89chec "CDP" Heure : 0 (null)\n    Erreur lors de la r\xc3\xa9cup\xc3\xa9ration de l\xe2\x80\x99URL : La ressource ou le p\xc3\xa9riph\xc3\xa9rique r\xc3\xa9seau sp\xc3\xa9cifi\xc3\xa9 n\xe2\x80\x99est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)\n    ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint\n\n  OK "Liste de r\xc3\xa9vocation des certificats de base (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9\n    [1.0] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl\n\n  \xc3\x89chec "CDP" Heure : 0 (null)\n    Erreur lors de la r\xc3\xa9cup\xc3\xa9ration de l\xe2\x80\x99URL : La ressource ou le p\xc3\xa9riph\xc3\xa9rique r\xc3\xa9seau sp\xc3\xa9cifi\xc3\xa9 n\xe2\x80\x99est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)\n    [1.0.0] ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint\n\n  Ancienne liste de r\xc3\xa9vocation des certificats de base "Liste de r\xc3\xa9vocation des certificats delta (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9\n    [1.0.1] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl\n\n  ----------------  Protocole OCSP du certificat  ----------------\n  Pas d\xe2\x80\x99URL "Aucun" Heure : 0 (null)\n  --------------------------------\n    CRL 0592:\n    Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com\n    ThisUpdate: 28/02/2019 13:55\n    NextUpdate: 08/03/2019 02:15\n    CRL: a467254541a842b5e0819fe02e61395baeb2b4e9\n  Application[0] = 1.3.6.1.5.5.7.3.2 Authentification du client\n  Application[1] = 1.3.6.1.5.5.7.3.4 Messagerie \xc3\xa9lectronique s\xc3\xa9curis\xc3\xa9e\n\nCertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0\n  Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com\n  NotBefore: 08/04/2015 13:36\n  NotAfter: 08/04/2020 13:45\n  Subject: CN=get-SRV-DC-CA, DC=dom, DC=com\n  Serial: 40d4e5b7f3288898496b6f9bb3f1a103\n  Template: CA\n  Cert: b3d1bb3362ec43aedafe4c3868805db4fcda5748\n  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)\n  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)\n  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)\n  ----------------  AIA de certificat  ----------------\n  Pas d\xe2\x80\x99URL "Aucun" Heure : 0 (null)\n  ----------------  CDP de certificat  ----------------\n  Pas d\xe2\x80\x99URL "Aucun" Heure : 0 (null)\n  ----------------  Protocole OCSP du certificat  ----------------\n  Pas d\xe2\x80\x99URL "Aucun" Heure : 0 (null)\n  --------------------------------\n\nExclude leaf cert:\n  Chain: 52a851a29e09dc1f1aec1fd5a640854e68361f94\nFull chain:\n  Chain: 5046b50dfefc32be7c0c470bdb7ed2843ffc288a\n  Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com\n  NotBefore: 01/03/2019 15:05\n  NotAfter: 29/02/2020 15:05\n  Subject: E=A.NOM@domaineexch.com, CN=NOM Alexandre\n  Serial: 67f0382100000000a51b\n  SubjectAltName: Autre nom :Nom principal=LOGIN@mailinterne.com\n  Template: 1.3.6.1.4.1.311.21.8.11025665.8001721.14437036.989286.1368235.196.5905011.1016426\n  Cert: 9b28759fd75d66d04ad135b17ea93f541ace19f6\nLa fonction de r\xc3\xa9vocation n\xe2\x80\x99a pas pu v\xc3\xa9rifier la r\xc3\xa9vocation car le serveur de r\xc3\xa9vocation \xc3\xa9tait d\xc3\xa9connect\xc3\xa9. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)\n------------------------------------\nV\xc3\xa9rification de r\xc3\xa9vocation ignor\xc3\xa9e -- le serveur est hors connexion\n\nERREUR : la v\xc3\xa9rification de l\xe2\x80\x99\xc3\xa9tat de r\xc3\xa9vocation du certificat feuille a\n         renvoy\xc3\xa9 La fonction de r\xc3\xa9vocation n\xe2\x80\x99a pas pu v\xc3\xa9rifier la r\xc3\xa9vocation car le serveur de r\xc3\xa9vocation \xc3\xa9tait d\xc3\xa9connect\xc3\xa9. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)\nCertUtil: La fonction de r\xc3\xa9vocation n\xe2\x80\x99a pas pu v\xc3\xa9rifier la r\xc3\xa9vocation car le serveur de r\xc3\xa9vocation \xc3\xa9tait d\xc3\xa9connect\xc3\xa9.\n\nCertUtil: -verify La commande s\xe2\x80\x99est termin\xc3\xa9e correctement.\n

\n\n

感谢帮助。

\n

Answer 1

问题在于 Delta CRL http url，它指向 Base CRL 文件。基本 CRL 和增量 CRL 都具有相同的 URL，因此它们指向同一文件，而它们是单独的物理文件。

1. 打开CA管理控制台（certsrv.msc），选择CA属性，切换到扩展选项卡。确保 CDP 的 HTTP url 是否以<DeltaCrlAllowed>.crl. <DeltaCRLAllowed>如果没有，请通过在文件扩展名之前插入变量来编辑 URL（复制现有的、删除并添加具有相同设置的新 URL） 。

2. 打开 CertEnroll 文件夹并检查是否有两个 crl 文件。其中之一+在文件名中包含字符。

如果有两个文件，请确保 CRL（文件名中带有加号）是否有效。

3. 如果 http CRL 托管在 IIS 上，请确保 IIS 上是否启用了双重转义。

解决所有提到的问题后，重新发布 CRL 并再次尝试 certutil。