RE: 0x80090325 error when using a client cert path with no AIA extensi

From: Patrick Tronnier (PatrickTronnier_at_discussions.microsoft.com)
Date: 04/13/05 

Date: Wed, 13 Apr 2005 09:53:03 -0700

Sorry for the redunant posts. I received the following error and thus was not
sure if my post succeeded or not.

An error occurred while sending your post
--------------------------------------------------------------------------------

We're sorry, but there was a problem with the system and your post was not
received. The error has been reported to Operations and will be investigated
as soon as possible. Please try again later.

"Patrick Tronnier" wrote:

> Greetings,
>
> Problem:
> I receive a 0x80090325 error "The certificate chain was issued by an
> authority that is not trusted." when I attempt to connect to a site using a
> client certificate which does not have an Authority Information Access (AIA)
> extension in any of the certs in the path. I assume the chain can not be
> build because my code does not know where to download the missing CA cert
> from.
>
> Scenario:
> The site is https://sandboxsmd.iso-ne.com/
>
> Server: Server: Stronghold/3.0 Apache/1.3.22 RedHat/3021c (Unix)
> mod_ssl/2.8.7 OpenSSL/0.9.6b mod_perl/1.25\r\n
>
> Client: Window2000 sp4
>
> Note: Both client and server root certs are installed!! Also, the problem
> goes away if the client Intermediate CA cert is installed in the
> LocalMachine\CA cert store.
>
> Here are the cert chains:
>
> Server: sandboxsmd.iso-ne.com > issued by> Equifax Secure Certificate
> Authority
>
> Client: Leonard Jaques (50702) > issued by> ISO New England CA 1> > issued
> by> Equifax Secure eBusiness CA-1
>
> Question:
> Is there sample code (preferably C++) which shows how to build a cert chain
> using files on a network share when the AIA extension is missing in a cert?
> If no sample code, can someone review my code and possibly let me know a
> better way to do this?
>
> Additional Info:
> Here is a winhttptracecfg log. (as I mentioned, when both client and server
> root certs are installed I still have problem. If client Intermediate CA cert
> is installed into the LocalMachine\CA store the problem goes away).
>
> Thank you very much in advance for any assistance.
>
> PS: Issue also cross posted in winhttp newsgroup.
>
> 14:29:00.175 ::*Session* :: >>>> WinHttp Version 5.1 Build 5.1.2600 Dec 9
> 2003 01:37:31>>>>Process SHttpRequest.exe [3836 (0xefc)] started at
> 14:29:00.175 03/24/2005
> 14:30:01.878 ::*Session* ::
> WinHttpCrackUrl("https://sandboxsmd.iso-ne.com/mkt/private/XmlRequest", 0x34,
> 0x0, 0x12f5b0)
> 14:30:01.878 ::*Session* ::
> WinHttpCrackUrlA("https://sandboxsmd.iso-ne.com/mkt/private/XmlRequest",
> 0x34, 0x0, 0x12f3dc)
> 14:30:01.878 ::*Session* :: WinHttpCrackUrlA() returning TRUE
> 14:30:01.878 ::*Session* :: WinHttpCrackUrl() returning TRUE
> 14:30:01.878 ::*Session* :: WinHttpOpen("OATI WinHTTP Interface", (0), "",
> "", 0x0)
> 14:30:01.894 ::*Session* :: WinHttpOpen() returning handle 0xec4000
> 14:30:01.894 ::*Session* :: WinHttpConnect(0xec4000,
> "sandboxsmd.iso-ne.com", 443, 0x0)
> 14:30:01.894 ::*Session* :: WinHttpConnect() returning handle 0xec8000
> 14:30:01.894 ::*Session* :: WinHttpOpenRequest(0xec8000, "POST",
> "/mkt/private/XmlRequest", "", "", 0x0, 0x00800000)
> 14:30:02.003 ::*Session* :: WinHttpCreateUrlA(0x12f204, 0x0, 0x18d0000,
> 0x12f240)
> 14:30:02.003 ::*Session* :: WinHttpCreateUrlA() returning TRUE
> 14:30:02.003 ::*0000001* :: WinHttpOpenRequest() returning handle 0xec9000
> 14:30:02.003 ::*0000001* :: WinHttpSetOption(0xec9000, (6), 0x12f578
> [0x36ee80], 4)
> 14:30:02.003 ::*0000001* :: WinHttpSetOption() returning TRUE
> 14:30:02.019 ::*0000001* :: WinHttpSetOption(0xec9000, (3), 0x12f620
> [0xea60], 4)
> 14:30:02.019 ::*0000001* :: WinHttpSetOption() returning TRUE
> 14:30:02.269 ::*0000001* :: WinHttpSetOption(0xec9000, (47), 0x15fd60
> [0x1], 20)
> 14:30:02.269 ::*0000001* :: WinHttpSetOption() returning TRUE
> 14:30:02.269 ::*0000001* :: WinHttpSetOption(0xec9000, (79), 0x12f5cc
> [0x3100], 4)
> 14:30:02.269 ::*0000001* :: WinHttpSetOption() returning TRUE
> 14:30:21.003 ::*Session* :: WinHttpAddRequestHeaders(0xec9000,
> "Context-Type: text/*\r\nUser-Agent: Mozilla/4.0 (compatible; OATI)\r\n", -1,
> 0x20000000)
> 14:30:21.003 ::*Session* :: WinHttpAddRequestHeaders() returning TRUE
> 14:30:23.738 ::*0000001* :: WinHttpSendRequest(0xec9000, "", 0, 0xee5058,
> 125, 125, 0)
> 14:30:24.097 ::*0000001* :: "sandboxsmd.iso-ne.com" resolved
> 14:30:24.628 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x90312
> [SEC_I_CONTINUE_NEEDED]
> 14:30:24.628 ::*0000001* :: sending data:
> 14:30:24.628 ::*0000001* :: 62 (0x3e) bytes
> 14:30:24.628 ::*0000001* :: <<<<-------- HTTP stream follows below
> ----------------------------------------------->>>>
> 14:30:24.628 ::*0000001* :: ....9...5..BC#`5V;<.Ha. .....F
> .*.E.M$.X.b.......d.b.......c..
> 14:30:24.628 ::*0000001* :: <<<<-------- End
> ----------------------------------------------->>>>
> 14:30:24.675 ::*0000001* :: received data:
> 14:30:24.675 ::*0000001* :: 1024 (0x400) bytes
> 14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
> ----------------------------------------------->>>>
> 14:30:24.675 ::*0000001* :: ....J...F..BC#_....V...........y.%:.IG9TU-b
> a.....G}...Uz.8..s[.^.#.....3+.........!..........0...0..|..........0
> ..*.H..
> .....0N1.0...U....US1.0...U.
> 14:30:24.675 ::*0000001* :: ..Equifax1-0+..U...$Equifax Secure Certificate
> Authority0..
> 040621160740Z.
> 050821160740Z0..1.0...U....US1.0...U...
> Massachusetts1.0...U....Holyoke1.0...U.
> 14:30:24.675 ::*0000001* :: ..ISO New England1.0...U....Market
> Systems1.0...U....sandboxsmd.iso-ne.com0..0
> ..*.H..
> .........0.........V%....<..F..r.
> U...3...qeL...]..o....eB..tc.I.C2u...v...Z..'..[..=......d.V...v(S...2U.B....6
> ..Lk4Yp.=I\$.F.n..I.k-.Pe.;............0..0...`.H...B.......@0...U...........0...U........._'.....#..ad.F...0:..U...3010/.-.+.)http://crl.geotrust.com/crls/secureca.crl0...U.#..0...H.h.+....G.# .O3....0...U.%..0...+.........+.......0
> ..*.H..
> .................Z..ny...4...j]-D....g[\.J..\6.^.Ekl.e..%......p...52..x...I.{\.|...|Zf..@...).]'32..`|-8..e}...Dw.k:._.*...^.+3...g...)z.....
> .........a0_1.0...U....US1.0...U.
> 14:30:24.675 ::*0000001* :: ..VeriSign, Inc.1705..U....Class 2 Public
> Primary Certification Authority..0..1.0...U....US1.0...U.
> 14:30:24.675 ::*0000001* :: <<<<-------- End
> ----------------------------------------------->>>>
> 14:30:24.675 ::*0000001* :: received data:
> 14:30:24.675 ::*0000001* :: 263 (0x107) bytes
> 14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
> ----------------------------------------------->>>>
> 14:30:24.675 ::*0000001* ::
> 14:30:24.675 ::*0000001* :: ..VeriSign, Inc.1<0:..U...3Class 2 Public
> Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For
> authorized use only1.0...U....VeriSign Trust Network.U0S1.0...U....US1.0...U.
> 14:30:24.675 ::*0000001* :: ..Equifax Secure Inc.1&0$..U....Equifax Secure
> eBusiness CA-1....
> 14:30:24.675 ::*0000001* :: <<<<-------- End
> ----------------------------------------------->>>>
> 14:30:24.675 ::*0000001* :: sending data:
> 14:30:24.675 ::*0000001* :: 1069 (0x42d) bytes
> 14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
> ----------------------------------------------->>>>
> 14:30:24.675 ::*0000001* :: ...............0...0..D........(0
> ..*.H..
> .....0K1.0...U....US1.0...U.
> 14:30:24.675 ::*0000001* :: ..ISO New England Inc.1.0...U....ISO New England
> CA 10..
> 050131220052Z.
> 060214220052Z0..1.0...U....US1.0...U.
> 14:30:24.675 ::*0000001* :: ..Split Rock Energy LLC1.0...U....USER ID -
> 6000242031.0...U....Leonard Jaques (50702)1&0$..*.H..
> .....leonard.jaques@oati.net0..0
> ..*.H..
> .........0.......4..5#..K....9.v1
> z..h...T......~...;.a......+..1.g.......'...>.#...
> ..9.Na:.+....-.?$'.Ny..w......]:...|AAd..dz.R
> ....xR..R.C........0..0...`.H...B........0...U...........0:..U...3010/.-.+.)http://crl.geotrust.com/crls/isoneca1.crl0...U.#..0...I..tE.......x...My..0
> ..*.H..
> ..........
> 14:30:24.675 ::*0000001* :: e.G.!a..{F..
> 14:30:24.675 ::*0000001* ::
> .hu-XEn..F.!...,6.....*.x4...c.ga....%S.Y...Y.W.D4.....A..Xvx...Q.H.gL.].}.]...T.....Q2z....'........6W.$5.%'..=...........;!h.!..n..<]N0.^
> ..#?O.s...c.........^....MU......i~..`^......%...!.$s..L&..3.,3.\.W&.Q..[[.D+.?ez.wV..fx....
> ../.nE".9%...........x..w....b.....-...y{5b[....O...x...AH...4./Q..\>.....[...*...n:,&...4..9.&.6,....8.5.Z1nJ.....g...H..
> 14:30:24.675 ::*0000001* ::
> .{4....._...^..Q*$?...............(~.:....w....V...)......[..X.?..#....F...
> 14:30:24.675 ::*0000001* :: <<<<-------- End
> ----------------------------------------------->>>>
> 14:30:24.722 ::*0000001* :: received data:
> 14:30:24.722 ::*0000001* :: 7 (0x7) bytes
> 14:30:24.722 ::*0000001* :: <<<<-------- HTTP stream follows below
> ----------------------------------------------->>>>
> 14:30:24.722 ::*0000001* :: ......0
> 14:30:24.722 ::*0000001* :: <<<<-------- End
> ----------------------------------------------->>>>
> 14:30:24.722 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x80090325 [?]
> 14:30:24.722 ::*0000001* :: WinHttpSendRequest: error -2146893019 [0x80090325]
> 14:30:24.722 ::*0000001* :: WinHttpSendRequest() returning FALSE
> 14:30:49.300 ::*0000001* :: WinHttpQueryHeaders(0xec9000, (0x16), "<null>",
> 0x0, 0x12f614 [0], 0x0 [0])
> 14:30:49.300 ::*0000001* :: WinHttpQueryHeaders() returning FALSE
> 14:30:49.300 ::*0000001* :: WinHttpQueryHeaders(0xec9000, (0x16), "<null>",
> 0xee4d18, 0x12f614 [6], 0x0 [0])
> 14:30:49.300 ::*0000001* :: WinHttpQueryHeaders() returning TRUE
> 14:30:51.238 ::*0000001* :: WinHttpCloseHandle(0xec9000)
> 14:30:51.238 ::*0000001* :: WinHttpCloseHandle() returning TRUE
> 14:30:51.238 ::*Session* :: WinHttpCloseHandle(0xec8000)
> 14:30:51.238 ::*Session* :: WinHttpCloseHandle() returning TRUE
> 14:30:51.238 ::*Session* :: WinHttpCloseHandle(0xec4000)
> 14:30:51.238 ::*Session* :: WinHttpCloseHandle() returning TRUE
>

Relevant Pages

  • Re: IIS website - only allow users with client cert from our CA. P
    ... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... > Why does IIS allow me to see my website when it doesn't have ... > our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • RE: Certificate logon on Unix
    ... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
    (Security-Basics)
  • RE: 0x80090325 error when using client cert without AIA in certs
    ... > client certificate which does not have an Authority Information Access ... > where to download the missing CA cert from. ... Both client and server root certs are installed!! ... > Here is a winhttptracecfg log. ...
    (microsoft.public.platformsdk.security)
  • Re: Radius Server
    ... > so I'm guessing the client needs the Server Certificate, ... > export it from the server and import it to the client. ... >> But if you deployed EAP-TLS, you need a server cert and a client ...
    (microsoft.public.windows.server.networking)