timbrigham
asked on
SSL Cert - Expired Base CRL
I'm getting some odd behavior from one of my certificates. One of my client computers is in the Philippines. The certificate revocation check is failing. I tried using certutil to locate the specifics. The line I'm concerned about is ' Expired "Base CRL (0128)" Time: 2'.
Is there anything I can do about this beyond hounding GoDaddy?
Is there anything I can do about this beyond hounding GoDaddy?
Issuer:
SERIALNUMBER=07969287
CN=Go Daddy Secure Certification Authority
OU=http://certificates.godaddy.com/repository
O=GoDaddy.com, Inc.
L=Scottsdale
S=Arizona
C=US
Subject:
CN=sage.cfcausa.org
OU=Domain Control Validated
O=sage.cfcausa.org
Cert Serial Number: b30864338111
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotBefore: 5/17/2010 6:48 AM
NotAfter: 5/17/2013 6:48 AM
Subject: CN=sage.cfcausa.org, OU=Domain Control Validated, O=sage.cfcausa.org
Serial: b30864338111
SubjectAltName: DNS Name=sage.cfcausa.org, DNS Name=www.sage.cfcausa.org
af 64 77 ec ca 0f 27 34 92 f8 bc 42 e8 71 20 a1 01 38 70 00
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
---------------- Certificate CDP ----------------
Expired "Base CRL (0128)" Time: 2
[0.0] http://crl.godaddy.com/gds1-18.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ocsp.godaddy.com/
--------------------------------
CRL (null):
Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
a6 e3 43 86 48 b5 24 a5 f3 37 b6 b4 c4 f9 36 08 37 2f 20 b7
Issuance[0] = 2.16.840.1.114413.1.7.23.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 11/15/2006 5:54 PM
NotAfter: 11/15/2026 5:54 PM
Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Serial: 0301
7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0
[0.0] http://certificates.godaddy.com/repository/gdroot.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ocsp.godaddy.com
--------------------------------
CRL (null):
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
71 5e 17 9c e1 9d 21 fb 41 90 1d f9 88 4b 48 48 ba 9c 39 a2
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 6/29/2004 9:06 AM
NotAfter: 6/29/2034 9:06 AM
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Serial: 00
27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Exclude leaf cert:
db c6 89 f7 80 c3 d8 9e 1f 5b b0 7b 17 99 ac 78 96 72 03 3b
Full chain:
be f4 47 1d e2 f6 27 8f 5b b1 5f b1 8b b9 ab d4 ed be 29 f2
------------------------------------
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
Do you have the GoDaddy intermediate certificate installed also?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That would do it. Glad you have it fixed!
ASKER
Found solution myself.