David 10 Geschrieben 17. Oktober 2013 Melden Teilen Geschrieben 17. Oktober 2013 Hallo ich baue mir gerade eine Testumgebung auf. 1. Windows 2008R2 als DC + Exchange 2010 mymail.lcoal 2. Windows 2008R2 als DC + Exchange 2010 prosware.local 3. Windows 2008R2 als DC + CA orange.local Mein erstes Ziel ist es das ich für meine Exchange Server, von der CA in orange.local mir Zertifikate ausstelle! Ich habe das Root Zertifikat von der CA auf beiden Server eingespielt. Wenn ich nun ein Zertifikat ausstelle und es In Exchange einfüge, kommt die Meldung ....the revocation check faild certutil -verify -urlfetch c:\certnew.cer bringt folgendes: Issuer: CN=orange-ROOT-CA DC=orange DC=local Subject: CN=mymail.local OU=test O=test L=testtes S=test C=AQ Cert Serial Number: 612295f8000000000005 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 1 Hours, 11 Minutes, 55 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 1 Hours, 11 Minutes, 55 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=orange-ROOT-CA, DC=orange, DC=local NotBefore: 10/17/2013 2:46 PM NotAfter: 10/17/2015 2:46 PM Subject: CN=mymail.local, OU=test, O=test, L=testtes, S=test, C=AQ Serial: 612295f8000000000005 SubjectAltName: DNS Name=exchange1.mymail.local, DNS Name=mymail.local, DNS Na me=autodiscover.mymail.local Template: WebServer 86 1b e5 2a fa 58 b4 e8 d0 44 25 19 eb ee b7 5d c2 27 b0 8e Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Verified "Base CRL (01)" Time: 4 [0.0] http://root.orange.local/CertEnroll/orange-ROOT-CA.crl Failed "CDP" Time: 0 Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234) [0.0.0] ldap:///CN=orange-ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=orange,DC=local?deltaRevocationList?base?objectC lass=cRLDistributionPoint ---------------- Base CRL CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234) ldap:///CN=orange-ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Servi ces,CN=Configuration,DC=orange,DC=local?deltaRevocationList?base?objectClass=cRL DistributionPoint ---------------- Certificate OCSP ---------------- Failed "OCSP" Time: 0 Error retrieving URL: Error 0x80190195 (-2145844843) http://root.orange.local/CertEnroll/Root.orange.local_orange-ROOT-CA.crt -------------------------------- CRL 01: Issuer: CN=orange-ROOT-CA, DC=orange, DC=local f9 11 39 cd cc 5d 6a 85 2e 97 cd 03 45 38 df 18 c2 4d 87 9a Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=orange-ROOT-CA, DC=orange, DC=local NotBefore: 10/17/2013 2:15 PM NotAfter: 10/17/2046 2:24 PM Subject: CN=orange-ROOT-CA, DC=orange, DC=local Serial: 26f8a26852d632874ffc5a88317e4e5a e0 dd e7 56 7d aa d6 8d e9 61 2e 49 01 99 ff f9 1d ec 17 f6 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: a6 f0 1e c4 24 b4 44 2c 73 51 44 67 b4 d7 e9 5c e1 77 67 0c Full chain: 29 49 5e c4 dd be a0 78 82 1f f0 9d a6 24 db fd cf 12 26 26 Issuer: CN=orange-ROOT-CA, DC=orange, DC=local NotBefore: 10/17/2013 2:46 PM NotAfter: 10/17/2015 2:46 PM Subject: CN=mymail.local, OU=test, O=test, L=testtes, S=test, C=AQ Serial: 612295f8000000000005 SubjectAltName: DNS Name=exchange1.mymail.local, DNS Name=mymail.local, DNS Na me=autodiscover.mymail.local Template: WebServer 86 1b e5 2a fa 58 b4 e8 d0 44 25 19 eb ee b7 5d c2 27 b0 8e The revocation function was unable to check revocation because the revocation se rver was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline ERROR: Verifying leaf certificate revocation status returned The revocation func tion was unable to check revocation because the revocation server was offline. 0 x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the rev ocation server was offline. http://root.orange.local/CertEnroll/orange-ROOT-CA.crl und http://root.orange.local/CertEnroll/Root.orange.local_orange-ROOT-CA.crt sind über den IE erreichbar! Mach ich irgendwas falsch ( sonst würde es vielleicht ja gehen :-) ) oder geht das überhaupt nicht!!# Gruß David Zitieren Link zu diesem Kommentar
RobertWi 81 Geschrieben 17. Oktober 2013 Melden Teilen Geschrieben 17. Oktober 2013 Moin, schaust Du hier: http://blogs.technet.com/b/exchange/archive/2010/07/26/emc-and-certificates-with-failed-revocation-checks-in-exchange-2010.aspx (BTW: Das ist der erste Google-Treffer, wenn man nach "revocation check failed exchange 2010" sucht. ;)) Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.