[Piv-test-cards] error message on TEST PIV CARD

156 views
Skip to first unread message

TonyVN

unread,
Jan 5, 2017, 6:57:53 PM1/5/17
to piv-tes...@list.nist.gov

Hi,

I've been trying to set up the test PIV card and getting the following
error message below. Even though, I have trusted root and intermediate root
were installed in our servers.

Please let me know if anyone has seen this problem before. Your help is
greatly appreciated.

Thanks,
Tony

Sceurity token not valid. Exception details: ID4070: The X.509 certificate
'CN=Test Cardholder, OU=Test Agency, OU=Test Department, O=Test Government,
C=US' chain building failed. The certificate that was used has a trust
chain that cannot be verified. Replace the certificate or change the
certificateValidationMode. 'A certification chain processed correctly, but
one of the CA certificates is not trusted by the policy provider. '


Paul Fox (MCS)

unread,
Jan 6, 2017, 7:42:47 AM1/6/17
to piv-tes...@list.nist.gov
Which card are you using?
________________________________
From: TonyVN<mailto:TonyVN at rccb.osis.gov>
Sent: ?1/?5/?2017 6:59 PM
To: piv-tes...@list.nist.gov<mailto:piv-tes...@list.nist.gov>
Subject: [Piv-test-cards] error message on TEST PIV CARD


Hi,

Thanks,
Tony


_______________________________________________
PIV-test-cards mailing list
PIV-test-cards at nist.gov
https://groups.google.com/a/list.nist.gov/forum/#!forum/piv-test-cards

Douglas E Engert

unread,
Jan 6, 2017, 9:02:12 AM1/6/17
to piv-tes...@list.nist.gov
Google for "A certification chain processed correctly"
or "The certificate that was used has a trust chain that cannot be verified."
or "one of the CA certificates is not trusted by the policy provider"

Some of the blogs hint at it being the revocation service (CRL or OSCP) is not running which would be
NIST servers as listed in the certificates.

The blogs turned off revocation with code like this:

serviceBehaviors/behavior/serviceCredentials/clientCertificate

<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />

Are you running in a test network that does not have access to the outside?

(I have not run in to this, but have not used the test cards in AD so would not have run into this problem either.)

> _______________________________________________
> PIV-test-cards mailing list
> PIV-test-cards at nist.gov
> https://groups.google.com/a/list.nist.gov/forum/#!forum/piv-test-cards
>

--

Douglas E. Engert <DEEngert at gmail.com>

TonyVN

unread,
Jan 6, 2017, 9:46:35 AM1/6/17
to piv-tes...@list.nist.gov
Hi Paul,

I am using Test Cardholder number 1.

Thanks,
Tony

From: "Paul Fox (MCS)" <pfox at microsoft.com>
To: TonyVN <TonyVN at rccb.osis.gov>, "piv-tes...@list.nist.gov"
<piv-tes...@list.nist.gov>,
Date: 01/06/2017 12:42 PM
Subject: RE: [Piv-test-cards] error message on TEST PIV CARD

Which card are you using?

From: TonyVN


Sent: ?1/?5/?2017 6:59 PM
To: piv-tes...@list.nist.gov

Salvatore D'Agostino

unread,
Jan 6, 2017, 9:55:19 AM1/6/17
to piv-tes...@list.nist.gov
Yes, what is the card/certificate crl distribution point, what is the ocsp
responder address can you hit these?

Glad to see this discussion, also look to https://github.com/GSA/piv-guides
and open a ticket here, maybe consolidate these under a test card section or
under validation..

Paul Fox (MCS)

unread,
Jan 6, 2017, 10:10:11 AM1/6/17
to piv-tes...@list.nist.gov
If you are using a Windows system try this
1) export the cert local to the system
2) start command prompt
3) type certutil -verify -urlfetch testcard1.crt

It will give you more information as to where the validation is failing.

-----Original Message-----
From: TonyVN [mailto:TonyVN at rccb.osis.gov]

TonyVN

unread,
Jan 6, 2017, 10:12:57 AM1/6/17
to piv-tes...@list.nist.gov
I can hit CDP URL=http://smime2.nist.gov/PIVTest/RSA2048CA.crl and OCSP
http://seclab7.ncsl.nist.gov

Here's my test PIV card info RFC822 Name=test.cardholder at mail.example.com

TonyVN

unread,
Jan 6, 2017, 10:45:31 AM1/6/17
to piv-tes...@list.nist.gov
Here's the output.


Issuer:
CN=Test RSA 2048-bit CA for Test PIV Cards
OU=Test CA
O=Test Certificates 2010
C=US
Name Hash(sha1): 438ddd04731eaa7bbaf64d86c69e08d913f6f169
Name Hash(md5): 4ff953509351abea6c9a81b850062b28
Subject:
CN=Test Cardholder
OU=Test Agency
OU=Test Department
O=Test Government
C=US
Name Hash(sha1): cd0541ba54dd21b1eb5ead9b74286e362bcfaf84
Name Hash(md5): 7e8a5061753886cc44181696da54e32d
Cert Serial Number: 65

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test Cardholder, OU=Test Agency, OU=Test Department, O=Test
Government, C=US
Serial: 65
SubjectAltName: Other Name:Principal Name=32015465737401 at upn.example.com,
Other Name:2.16.840.1.101.3.6.6=04 19 d6 50 18 58 28 9d 6d ca cc 93 25 a1
68 59 a4 69 27 c9 d4 5c 86 50 18 43 e2
1af816097246c115d22766a8939261a63210ef55
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/CACertsIssuedToRSA2048CA.p7c

Verified "Certificate (0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Verified "Certificate (0)" Time: 0
[1.1]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

---------------- Certificate CDP ----------------
Verified "Base CRL (cba8)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/RSA2048CA.crl

Verified "Base CRL (cba8)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://seclab7.ncsl.nist.gov

--------------------------------
Issuance[0] = 2.16.840.1.101.3.2.1.3.13

CertContext[0][1]: dwInfoStatus=2 dwErrorStatus=1000040
Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
Serial: 02
4f2e0abe3606634c49657a0ad964f7357d7758fe
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Success "AIA" Time: 0
http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c

Wrong Issuer "Certificate (0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (1)" Time: 0
[1.1]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (2)" Time: 0
[1.2]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (3)" Time: 0
[1.3]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (4)" Time: 0
[1.4]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

---------------- Certificate CDP ----------------
OK "Base CRL (cbad)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/TrustAnchor.crl

OK "Base CRL (cbad)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Issuance[0] = 2.16.840.1.101.3.2.1.3.7
Issuance[1] = 2.16.840.1.101.3.2.1.3.8
Issuance[2] = 2.16.840.1.101.3.2.1.3.13
Issuance[3] = 2.16.840.1.101.3.2.1.3.17

Exclude leaf cert:
1af816097246c115d22766a8939261a63210ef55
Full chain:
c3dfb36325888952814516809b761c9542a3e32e
Missing Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
Issuer: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test Cardholder, OU=Test Agency, OU=Test Department, O=Test
Government, C=US
Serial: 65
SubjectAltName: Other Name:Principal Name=32015465737401 at upn.example.com,
Other Name:2.16.840.1.101.3.6.6=04 19 d6 50 18 58 28 9d 6d ca cc 93 25 a1
68 59 a4 69 27 c9 d4 5c 86 50 18 43 e2
1af816097246c115d22766a8939261a63210ef55
A certificate chain could not be built to a trusted root authority.
0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Paul Fox (MCS)

unread,
Jan 6, 2017, 11:05:57 AM1/6/17
to piv-tes...@list.nist.gov
Can you now try certutil -verify testcard1.crt please

David - you are not populating the http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c with the root trust cert, correct?

David A. Cooper

unread,
Jan 6, 2017, 11:16:29 AM1/6/17
to piv-tes...@list.nist.gov
On 01/06/2017 11:05 AM, Paul Fox (MCS) wrote:
> David - you are not populating the http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c with the root trust cert, correct?

Correct. http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c
has no certificates in it at all.

TonyVN

unread,
Jan 6, 2017, 11:23:01 AM1/6/17
to piv-tes...@list.nist.gov
Here it is again


---------------- Certificate CDP ----------------
Verified "Base CRL (cba9)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/RSA2048CA.crl

Verified "Base CRL (cba9)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Certificate CDP ----------------
OK "Base CRL (cbae)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/TrustAnchor.crl

OK "Base CRL (cbae)" Time: 0

Paul Fox (MCS)

unread,
Jan 6, 2017, 11:28:47 AM1/6/17
to piv-tes...@list.nist.gov
Please confirm the system's trusted root store.

1) start command prompt
2) certlm.msc
3) Go to Trusted Root Certification Authorities store and confirm you have Test Trust Anchor for Test PIV in there

TonyVN

unread,
Jan 6, 2017, 11:50:42 AM1/6/17
to piv-tes...@list.nist.gov
Hi Paul,

No, I imported it and confirmed you have Test Trust Anchor for Test PIV in
there. I imported the intermediate root CA as well. Still giving me the
error. Here is update output.

Thanks,
Tony

Issuer:
CN=Test RSA 2048-bit CA for Test PIV Cards
OU=Test CA
O=Test Certificates 2010
C=US
Name Hash(sha1): 438ddd04731eaa7bbaf64d86c69e08d913f6f169
Name Hash(md5): 4ff953509351abea6c9a81b850062b28
Subject:
CN=Test Cardholder
OU=Test Agency
OU=Test Department
O=Test Government
C=US
Name Hash(sha1): cd0541ba54dd21b1eb5ead9b74286e362bcfaf84
Name Hash(md5): 7e8a5061753886cc44181696da54e32d
Cert Serial Number: 65

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------

ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 34 Minutes, 45 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 34 Minutes, 45 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0


Issuer: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test Cardholder, OU=Test Agency, OU=Test Department, O=Test
Government, C=US
Serial: 65
SubjectAltName: Other Name:Principal Name=32015465737401 at upn.example.com,
Other Name:2.16.840.1.101.3.6.6=04 19 d6 50 18 58 28 9d 6d ca cc 93 25 a1
68 59 a4 69 27 c9 d4 5c 86 50 18 43 e2
1af816097246c115d22766a8939261a63210ef55
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/CACertsIssuedToRSA2048CA.p7c

Verified "Certificate (0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Verified "Certificate (0)" Time: 0
[1.1]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

---------------- Certificate CDP ----------------


Verified "Base CRL (cba9)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/RSA2048CA.crl

Verified "Base CRL (cba9)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Base CRL CDP ----------------


No URLs "None" Time: 0

---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://seclab7.ncsl.nist.gov

--------------------------------
CRL cba9:


Issuer: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US

ThisUpdate: 1/6/2017 4:01 PM
NextUpdate: 1/7/2017 4:01 PM
e348dfedb826ac202d6c7b35ed87a094406bc426
Issuance[0] = 2.16.840.1.101.3.2.1.3.13

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0


Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
Serial: 02
4f2e0abe3606634c49657a0ad964f7357d7758fe
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)

Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)


---------------- Certificate AIA ----------------
Success "AIA" Time: 0
http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c

Wrong Issuer "Certificate (0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (1)" Time: 0
[1.1]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (2)" Time: 0
[1.2]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (3)" Time: 0
[1.3]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Wrong Issuer "Certificate (4)" Time: 0
[1.4]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

---------------- Certificate CDP ----------------
Verified "Base CRL (cbae)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/TrustAnchor.crl

Verified "Base CRL (cbae)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Base CRL CDP ----------------


No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------

CRL cbae:


Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US

ThisUpdate: 1/6/2017 4:01 PM
NextUpdate: 1/7/2017 4:01 PM
30b80b3cc96e846235c7b03d88fa75f30eecb93a


Issuance[0] = 2.16.840.1.101.3.2.1.3.7
Issuance[1] = 2.16.840.1.101.3.2.1.3.8
Issuance[2] = 2.16.840.1.101.3.2.1.3.13
Issuance[3] = 2.16.840.1.101.3.2.1.3.17

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0


Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM

Subject: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
Serial: 01
8c687ea3cd6e0f47f2d98156d69a2455025a326b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------


No URLs "None" Time: 0

---------------- Certificate CDP ----------------


No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------

Exclude leaf cert:
d8a1139cb8a710a31cf6b89e1f977e38959ea528
Full chain:
1b533297888f066b82eaddf443c09ea7eca50241
------------------------------------
Verified Issuance Policies:
2.16.840.1.101.3.2.1.3.13
Verified Application Policies: All

Paul Fox (MCS)

unread,
Jan 6, 2017, 12:07:19 PM1/6/17
to piv-tes...@list.nist.gov
This looks good. Can you now try the certutil -verify -urlfetch testcard1.crt

Douglas E Engert

unread,
Jan 6, 2017, 12:08:25 PM1/6/17
to piv-tes...@list.nist.gov
The other half of the question I asked was are your servers in a restricted network
so as to isolate them from outside? i.e. Can the servers hit the URLs?

Since every set of test PIV cards are reproductions with the same keys,
anyone with a test of cards can authenticate or sign as the CN=Test Cardholder
making the use of the test card in an open network a security risk.

Douglas E Engert

unread,
Jan 6, 2017, 12:09:53 PM1/6/17
to piv-tes...@list.nist.gov
Disregard this message, it was a draft. Based on your other messages looks liker it can not find the self signed root certificate.

TonyVN

unread,
Jan 6, 2017, 1:53:08 PM1/6/17
to piv-tes...@list.nist.gov
Paul,

Here's the output when I run certutil -verify -urlfetch testcard1.crt


Thanks,
Tony

ChainContext.dwRevocationFreshnessTime: 26 Minutes, 1 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 26 Minutes, 1 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test Cardholder, OU=Test Agency, OU=Test Department, O=Test
Government, C=US
Serial: 65
SubjectAltName: Other Name:Principal Name=32015465737401 at upn.example.com,
Other Name:2.16.840.1.101.3.6.6=04 19 d6 50 18 58 28 9d 6d ca cc 93 25 a1
68 59 a4 69 27 c9 d4 5c 86 50 18 43 e2
1af816097246c115d22766a8939261a63210ef55
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/CACertsIssuedToRSA2048CA.p7c

Verified "Certificate (0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Verified "Certificate (0)" Time: 0
[1.1]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

---------------- Certificate CDP ----------------
Verified "Base CRL (cbab)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/RSA2048CA.crl

Verified "Base CRL (cbab)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://seclab7.ncsl.nist.gov

--------------------------------
CRL cbab:


Issuer: CN=Test RSA 2048-bit CA for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US

ThisUpdate: 1/6/2017 6:01 PM
NextUpdate: 1/7/2017 6:01 PM
047c0a99d67f159b1da98db07714ccb6572b82f1
Issuance[0] = 2.16.840.1.101.3.2.1.3.13

---------------- Certificate CDP ----------------
Verified "Base CRL (cbb0)" Time: 0
[0.0] http://smime2.nist.gov/PIVTest/TrustAnchor.crl

Verified "Base CRL (cbb0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------

CRL cbb0:


Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US

ThisUpdate: 1/6/2017 6:01 PM
NextUpdate: 1/7/2017 6:01 PM
8533a81f1f9968fdb9f3f49af176f79da5ef6efd


Issuance[0] = 2.16.840.1.101.3.2.1.3.7
Issuance[1] = 2.16.840.1.101.3.2.1.3.8
Issuance[2] = 2.16.840.1.101.3.2.1.3.13
Issuance[3] = 2.16.840.1.101.3.2.1.3.17

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
NotBefore: 10/1/2010 8:30 AM
NotAfter: 10/1/2030 8:30 AM
Subject: CN=Test Trust Anchor for Test PIV Cards, OU=Test CA, O=Test
Certificates 2010, C=US
Serial: 01
8c687ea3cd6e0f47f2d98156d69a2455025a326b
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------

Exclude leaf cert:
f39e4152034731b549e1705f81b9bb0e2b140d8a
Full chain:
076e80d934821c962eb07492d5bcde5295da902b

Paul Fox (MCS)

unread,
Jan 6, 2017, 1:57:54 PM1/6/17
to piv-tes...@list.nist.gov
This looks good. Does your application fail now?

TonyVN

unread,
Jan 6, 2017, 2:15:11 PM1/6/17
to piv-tes...@list.nist.gov
Hi Paul,

It's still failing. I created user in AD with the userid is
'test.cardholder' mapping with test PIV Card. I noticed that the following
error in the log that I sent to you. Does it create the failing for CA
root verification.

---------------- Certificate AIA ----------------
Success "AIA" Time: 0
http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c

Wrong Issuer "Certificate (0)" Time: 0
[1.0]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary


Wrong Issuer "Certificate (1)" Time: 0
[1.1]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary


Wrong Issuer "Certificate (2)" Time: 0
[1.2]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary


Wrong Issuer "Certificate (3)" Time: 0
[1.3]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary


Wrong Issuer "Certificate (4)" Time: 0
[1.4]
ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary

Thanks,

Paul Fox (MCS)

unread,
Jan 6, 2017, 2:23:13 PM1/6/17
to piv-tes...@list.nist.gov
Taking offline

TonyVN

unread,
Jan 6, 2017, 2:39:51 PM1/6/17
to piv-tes...@list.nist.gov
Has anyone set up test PIV card working before? I am getting very close.
It failed after the PIN entered and the following error message appeared
on the log

The X.509 certificate 'CN=Test Cardholder, OU=Test Agency, OU=Test
Department, O=Test Government, C=US' chain building failed. The certificate
that was used has a trust chain that cannot be verified. Replace the
certificate or change the certificateValidationMode. 'A certification chain
processed correctly, but one of the CA certificates is not trusted by the
policy provider. '

Paul Fox (MCS)

unread,
Jan 6, 2017, 2:42:51 PM1/6/17
to piv-tes...@list.nist.gov
This document has the steps to configure AD to support the NIST PIV test cards
https://gallery.technet.microsoft.com/HSPD-12-Logical-Access-0e04cdc9

Live Free

unread,
Jul 29, 2017, 3:25:19 PM7/29/17
to piv-tes...@list.nist.gov
Sure

Brett Pfrommer

Reply all
Reply to author
Forward
0 new messages