Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Chain status - certutil

1,106 views
Skip to first unread message

Martin K.

unread,
Oct 28, 2004, 12:52:03 PM10/28/04
to
Hi,
I have third party CA issuing certificates for smartcard logon and domain
controller. PKI consists of two CA's, Root and Sub. My question is: must I
have CRL distribution point in Sub CA certificate ? Isn't enough if I import
CRL into
the system ? I' having troubles with logging using smartcards. This is what
certutil.exe
says about my certificate:

++++++++++++++++++++++++++++++++++++++++
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 2
0: ActivCard USB Reader V2 0
1: OMNIKEY CardMan 2020 0
--- Reader: ActivCard USB Reader V2 0
--- Status: SCARD_STATE_EMPTY
--- Status: No card.
--- Card:
--- Reader: OMNIKEY CardMan 2020 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: G&D SPK 2.3 T=1

=======================================================
Analyzing card in reader: OMNIKEY CardMan 2020 0
CryptGetUserKey: Cannot find object or property. 0x80092004 (-2146885628)
Cannot open the AT_SIGNATURE key for reader: OMNIKEY CardMan 2020 0

Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
Key Container = 69DAEDBFF8A382818FB5C2AC016E9D9FE86A1873
Provider = SafeSign CSP Version 1.0
ProviderType = 1
Flags = 1
KeySpec = 1

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x40
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwRevocationFreshnessTime: 2 Hours, 45 Minutes, 39 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwRevocationFreshnessTime: 2 Hours, 45 Minutes, 39 Seconds

CertContext[0][0]: dwInfoStatus=104 dwErrorStatus=0
Issuer: CN=CA-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto Sp.
z o.o., C=PL
Subject: CN=Marcin Kotula, OU=proCertum, O=lab, C=PL
Serial: 0436
8c 8e b9 54 30 be 81 9f 0c 4c c6 4f 6a 70 ae eb c6 10 96 d1
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 1195:
Issuer: CN=CA-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto
Sp. z o.o., C=PL
01 ed aa 4d 3d 19 ab ce 23 c3 9d 26 90 ed ad a2 cc ce 6d 00
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=40
Issuer: CN=Root-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto
Sp. z o.o., C=PL
Subject: CN=CA-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto Sp.
z o.o., C=PL
Serial: 02
35 a4 8a 29 a1 93 ba 24 73 42 d9 36 1a 8a da 49 4c ca 4f ec
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
Issuer: CN=Root-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto
Sp. z o.o., C=PL
Subject: CN=Root-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto
Sp. z o.o., C=PL
Serial: 01
46 f6 b8 88 70 99 75 dd 45 b5 ba 31 68 31 1d 4c b0 3d f3 42
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
c7 24 7d c8 f2 43 04 a1 17 e3 9f f1 8b 0c 2e 73 67 e3 64 60
Full chain:
4f c9 e8 a9 ee 9d c2 8b 19 e5 04 83 39 db 11 2a e3 eb c5 7b
Issuer: CN=CA-Certyfikat testowy-Unizeto Sp. z o.o., OU=RW, O=Unizeto Sp.
z o.o., C=PL
Subject: CN=Marcin OU=proCertum, O=lab, C=PL
Serial: 0436
8c 8e b9 54 30 be 81 9f 0c 4c c6 4f 6a 70 ae eb c6 10 96 d1
The revocation function was unable to check revocation for the certificate.
0x80092012 (-2146885614)
------------------------------------
Revocation check skipped -- no revocation information available
Displayed AT_KEYEXCHANGE cert for reader: OMNIKEY CardMan 2020 0

Done.
CertUtil: -SCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.

++++++++++++++++++++++++++++++++++++++++


Can anyone looking above explain me the reason why sc logon does not work ?

regards
Martin.

Brian Komar

unread,
Oct 29, 2004, 8:00:06 AM10/29/04
to
In article <ec3K65Qv...@TK2MSFTNGP14.phx.gbl>, zanny[spam]@wp.pl
says...

> Hi,
> I have third party CA issuing certificates for smartcard logon and domain
> controller. PKI consists of two CA's, Root and Sub. My question is: must I
> have CRL distribution point in Sub CA certificate ? Isn't enough if I import
> CRL into the system ? I' having troubles with logging using smartcards. This is what
> certutil.exe
> says about my certificate:

The output is showing the expected results. The CRL distribution point
must exist in all certificates in the chain, except the actual root CA
certificate. Your login attempts are failing due to the lack of a CDP in
the subCA certificate.

The root is excluded due to the use of
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT

Brian

0 new messages