Badger1879
asked on
Revoked Certificates still valid for authentication
Hi,
I have recently installed a new standalone root Microsoft Certificate Authority and a subordinate Enterprise CA into our Active directory environment.
The Standalone Root is kept powered off and will remain so, and the Sub is issuing day to day certificates.
The problem I am seeing is that I have issued a certificate to myself a certificate using the Default 'User' Template and then transferred that to my iPhone to use for authentication with Microsoft Exchange.
It works! I get the email even when my password has been changed.
My problem comes when I try to revoke a certificate on the Sub CA.
When viewing the Certificate on my Windows 7 Machine the certificate path still says 'This Certificate is OK.'
When I run cerutil -f -urlfetch -verify MyCertificate.cer
The final result is
'Certificate is REVOKED'
Leaf certificate is REVOKED <Reason=6>
CertUtil: -verify command completed successfully.
So manually checking the status shows it has been revoked. But my iPhone is still fetching and sending email. And the Certificate path on my Windows 7 Machine still says 'OK'
Is there anything I Might of missed?
I have recently installed a new standalone root Microsoft Certificate Authority and a subordinate Enterprise CA into our Active directory environment.
The Standalone Root is kept powered off and will remain so, and the Sub is issuing day to day certificates.
The problem I am seeing is that I have issued a certificate to myself a certificate using the Default 'User' Template and then transferred that to my iPhone to use for authentication with Microsoft Exchange.
It works! I get the email even when my password has been changed.
My problem comes when I try to revoke a certificate on the Sub CA.
When viewing the Certificate on my Windows 7 Machine the certificate path still says 'This Certificate is OK.'
When I run cerutil -f -urlfetch -verify MyCertificate.cer
The final result is
'Certificate is REVOKED'
Leaf certificate is REVOKED <Reason=6>
CertUtil: -verify command completed successfully.
So manually checking the status shows it has been revoked. But my iPhone is still fetching and sending email. And the Certificate path on my Windows 7 Machine still says 'OK'
Is there anything I Might of missed?
Hi,
Certificate Revocation List are published through http.
If you take a look at your certificate properties on your computer you should find a CRL distribution points list of URLs that should point to a URL that hosts revocation lists.
When your computer has to use a certificate it is supposed to try to reach the CRL distributon point to check for the revocation.
If it can't reach the CRL the computer just consider that certificate is not revoked.
When you revoke a certificate on the CA, th CA is supposed to update the CRL distribution point but this distribution point may not be configured nor installed...
About iPhone, if the device is connected externally to Internet, then the CRL list won't be reachable from outside if you did not published it !! So, no chance for the iPhone to know about any certificate revocation if you did not published your CRL distribution point to the Internet !!
Have a good day.
Certificate Revocation List are published through http.
If you take a look at your certificate properties on your computer you should find a CRL distribution points list of URLs that should point to a URL that hosts revocation lists.
When your computer has to use a certificate it is supposed to try to reach the CRL distributon point to check for the revocation.
If it can't reach the CRL the computer just consider that certificate is not revoked.
When you revoke a certificate on the CA, th CA is supposed to update the CRL distribution point but this distribution point may not be configured nor installed...
About iPhone, if the device is connected externally to Internet, then the CRL list won't be reachable from outside if you did not published it !! So, no chance for the iPhone to know about any certificate revocation if you did not published your CRL distribution point to the Internet !!
Have a good day.
ASKER
Thank you for your help,
dlSmlSS where am I supposed to the command?
I have ran it on a few of our domain controllers and some do not have the new CRL in there cache.
I have also ran the command on my Windows 7 machine and now running certutil -urlcache comes back saying failed as there is no more data.
PaciB,
I don't fully understand; I thought that the check would be done internally.. for example the internal Exchange server would check the Certificates validity when the iPhone tries to connect.
I didn't think that the iPhone checked whether it was valid.. I always thought that is what the server is for.
Also the iPhone was on the Corporate network when I was testing this so it should of been able to see the CRL Distribution point on the HTTP point.
Any more ideas?
dlSmlSS where am I supposed to the command?
I have ran it on a few of our domain controllers and some do not have the new CRL in there cache.
I have also ran the command on my Windows 7 machine and now running certutil -urlcache comes back saying failed as there is no more data.
PaciB,
I don't fully understand; I thought that the check would be done internally.. for example the internal Exchange server would check the Certificates validity when the iPhone tries to connect.
I didn't think that the iPhone checked whether it was valid.. I always thought that is what the server is for.
Also the iPhone was on the Corporate network when I was testing this so it should of been able to see the CRL Distribution point on the HTTP point.
Any more ideas?
same machine that u ran
cerutil -f -urlfetch -verify MyCertificate.cer
did u try to open certificate after this commend and check its status?
cerutil -f -urlfetch -verify MyCertificate.cer
did u try to open certificate after this commend and check its status?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok.. It has been a while since I have updated this but I have been checking and checking...
The revokation checking is working if I manually export the certificate and run
certutil -f –urlfetch -verify certfile.cer
This shows that the certificate is Revoked.
Also opening MMC and viewing Enterprise PKI shows that all CDP, AIA and CA Certificate are valid locations on the root and the sub server.
I cannot see what the problem is!
Manually checking is showing that the certificate is revoked! why is AD, PCs and the exchange server showing that this is an ok certificate!!
Anyone? I really need help
The revokation checking is working if I manually export the certificate and run
certutil -f –urlfetch -verify certfile.cer
This shows that the certificate is Revoked.
Also opening MMC and viewing Enterprise PKI shows that all CDP, AIA and CA Certificate are valid locations on the root and the sub server.
I cannot see what the problem is!
Manually checking is showing that the certificate is revoked! why is AD, PCs and the exchange server showing that this is an ok certificate!!
Anyone? I really need help
certutil -urlcache * delete
and then check again