Здравствуйте. Помогите, пожалуйста. Есть УЦ на Windows 2012, который выпускает сертификаты для работы внутри компании. Сертификаты становятся недействительными только после окончания срока действия. Раз в неделю обновляется CRL, Delta - раз в 2 дня.в списке отзыва отозванный сертификат значится, в точке распространения списка отзыва указан путь к crl, но на рабочей станции в личных сертификатах пользователя сертификат все равно действителен.
Сертификат не проверяется на отзыв
- Автор темы Neema
- Дата начала
Doctor
Случайный прохожий
поле - Точка распределения списка отзыва (CRL) должно быть заполнено
Я пришла на работу и здесь впервые столкнулась с СА. Настроено все было зодолго до меня. Но вот сейчас всплыла вот такая проблема с сертификатами. Active Directory занимается другой человек, который тоже фиг знает что и как. На том сервере с AD RootCA. На моём, который мне доступен, SubCA. CA вроде доступен. А где посмотреть ошибки в журналах? На диске С в папке Certlog?
NanoSuit
Специалист
NanoSuit
Специалист
Engineer
Активный участник
Проверьте что сетевой ответчик установлен и работает. Или давайте логи.
Engineer
Активный участник
Веб-служба регистрации сертификатов - это служба роли служб сертификации Active Directory, которая предоставляет пользователям и компьютерам, использующим протокол HTTPS, возможность регистрировать сертификаты. Кроме того, эта веб-служба вместе с веб-службой политик регистрации сертификатов позволяет регистрировать сертификаты на основе политик в случае, если клиентский компьютер не является членом домена или член домена не подключен к домену.
Веб-служба регистрации сертификатов с помощью протокола HTTPS обращается к запросам сертификатов, полученным от сетевых клиентских компьютеров, и возвращает им выданные сертификаты. Веб-служба регистрации сертификатов с помощью протокола DCOM подключается к центру сертификации и выполняет регистрацию сертификатов от имени запрашивающей стороны. В предыдущих версиях служб сертификации Active Directory регистрацию сертификатов на основе политики могли выполнять только клиентские компьютеры членов домена, использующие протокол DCOM. При этом выдача сертификатов ограничивалась границами доверия, установленными доменами и лесами Active Directory.
Anatoly
Участник
Контролеры домена проверяют списки CRL, только при обновлении билета kerberos Нужно посмотреть какое время установлено у вас.
Попробуйте сделать на компе gpupdate /force
Попробуйте воспользоваться тулзой certutil
Для проверки статуса сертификата
Попробуйте сделать на компе gpupdate /force
Попробуйте воспользоваться тулзой certutil
Для проверки статуса сертификата
certutil -f –urlfetch -verify mycertificatefile.cer
Anatoly
Участник
Так же коды ошибок
The following error status codes are defined for certificates and chains.
MEMBERS
The following codes are defined for chains only.
MEMBERS
dwInfoStatus
The following information status codes are defined.
ТАБЛИЦА 3
The following error status codes are defined for certificates and chains.
MEMBERS
| Value | Meaning |
|---|---|
| CERT_TRUST_NO_ERROR0x00000000 | No error found for this certificate or chain. |
| CERT_TRUST_IS_NOT_TIME_VALID0x00000001 | This certificate or one of the certificates in the certificate chain is not time valid. |
| CERT_TRUST_IS_REVOKED0x00000004 | Trust for this certificate or one of the certificates in the certificate chain has been revoked. |
| CERT_TRUST_IS_NOT_SIGNATURE_VALID0x00000008 | The certificate or one of the certificates in the certificate chain does not have a valid signature. |
| CERT_TRUST_IS_NOT_VALID_FOR_USAGE0x00000010 | The certificate or certificate chain is not valid for its proposed usage. |
| CERT_TRUST_IS_UNTRUSTED_ROOT0x00000020 | The certificate or certificate chain is based on an untrusted root. |
| CERT_TRUST_REVOCATION_STATUS_UNKNOWN0x00000040 | The revocation status of the certificate or one of the certificates in the certificate chain is unknown. |
| CERT_TRUST_IS_CYCLIC0x00000080 | One of the certificates in the chain was issued by a certification authority that the original certificate had certified. |
| CERT_TRUST_INVALID_EXTENSION0x00000100 | One of the certificates has an extension that is not valid. |
| CERT_TRUST_INVALID_POLICY_CONSTRAINTS0x00000200 | The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension. |
| CERT_TRUST_INVALID_BASIC_CONSTRAINTS0x00000400 | The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded. |
| CERT_TRUST_INVALID_NAME_CONSTRAINTS0x00000800 | The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid. |
| CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT0x00001000 | The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported:
|
| CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT0x00002000 | The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate. |
| CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT0x00004000 | The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate. |
| CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT0x00008000 | The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded. |
| CERT_TRUST_IS_OFFLINE_REVOCATION0x01000000 | The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. |
| CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY0x02000000 | The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it. |
| CERT_TRUST_IS_EXPLICIT_DISTRUST0x04000000 | The certificate is explicitly distrusted. Windows Vista and Windows Server 2008: Support for this flag begins. |
| CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT0x08000000 | The certificate does not support a critical extension. Windows Vista and Windows Server 2008: Support for this flag begins. |
| CERT_TRUST_HAS_WEAK_SIGNATURE0x00100000 | The certificate has not been strong signed. Typically this indicates that the MD2 or MD5 hashing algorithms were used to create a hash of the certificate. Windows 8 and Windows Server 2012: Support for this flag begins. |
The following codes are defined for chains only.
MEMBERS
| Value | Meaning |
|---|---|
| CERT_TRUST_IS_PARTIAL_CHAIN0x00010000 | The certificate chain is not complete. |
| CERT_TRUST_CTL_IS_NOT_TIME_VALID0x00020000 | A certificate trust list (CTL) used to create this chain was not time valid. |
| CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID0x00040000 | A CTL used to create this chain did not have a valid signature. |
| CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE0x00080000 | A CTL used to create this chain is not valid for this usage. |
The following information status codes are defined.
ТАБЛИЦА 3
| Value | Meaning |
|---|---|
| CERT_TRUST_HAS_EXACT_MATCH_ISSUER0x00000001 | An exact match issuer certificate has been found for this certificate. This status code applies to certificates only. |
| CERT_TRUST_HAS_KEY_MATCH_ISSUER0x00000002 | A key match issuer certificate has been found for this certificate. This status code applies to certificates only. |
| CERT_TRUST_HAS_NAME_MATCH_ISSUER0x00000004 | A name match issuer certificate has been found for this certificate. This status code applies to certificates only. |
| CERT_TRUST_IS_SELF_SIGNED0x00000008 | This certificate is self-signed. This status code applies to certificates only. |
| CERT_TRUST_HAS_PREFERRED_ISSUER0x00000100 | The certificate or chain has a preferred issuer. This status code applies to certificates and chains. |
| CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY0x00000400 | An issuance chain policy exists. This status code applies to certificates and chains. |
| CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS0x00000400 | A valid name constraints for all namespaces, including UPN. This status code applies to certificates and chains. |
| CERT_TRUST_IS_PEER_TRUSTED0x00000800 | This certificate is peer trusted. This status code applies to certificates only. Windows Vista and Windows Server 2008: Support for this flag begins. |
| CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED0x00001000 | This certificate's certificate revocation list(CRL) validity has been extended. This status code applies to certificates only. Windows Vista and Windows Server 2008: Support for this flag begins. |
| CERT_TRUST_IS_FROM_EXCLUSIVE_TRUST_STORE0x00002000 | The certificate was found in either a store pointed to by the hExclusiveRoot or hExclusiveTrustedPeople member of the CERT_CHAIN_ENGINE_CONFIGstructure. Windows 7 and Windows Server 2008 R2: Support for this flag begins. |
| CERT_TRUST_IS_COMPLEX_CHAIN0x00010000 | The certificate chain created is a complex chain. This status code applies to chains only. |
| CERT_TRUST_IS_CA_TRUSTED0x00004000 | A non-self-signed intermediate CA certificate was found in the store pointed to by the hExclusiveRoot member of the CERT_CHAIN_ENGINE_CONFIG structure. The CA certificate is treated as a trust anchor for the certificate chain. This flag will only be set if the CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG value is set in the dwExclusiveFlags member of the CERT_CHAIN_ENGINE_CONFIGstructure. If this flag is set, the CERT_TRUST_IS_SELF_SIGNED and the CERT_TRUST_IS_PARTIAL_CHAINdwErrorStatus flags will not be set. Windows 8 and Windows Server 2012: Support for this flag begins. |
Здесь все отлично. Групповые политики обновились, команду verify выполнил успешно. Пишет, что сертификат отозван.
