Re: Schannel CertificateChainValidation failing

Thanks John and Joe. I am not fully up to speed with certs (root, end entity,
intermediate and validation of) but you have made me more aware of what i
should be looking for.

Thanks again,
Kenney

"Joe Kaplan" wrote:

If the client doesn't have the root cert locally, it may attempt to contact
Windows Update to see if the certificate is registered with Microsoft as a
valid Windows trusted root cert. I've seen this with public SSL certs
issued by "unusual" root cert chains that are valid but not included on the
client by default.

Normally if this happens, there will be event log entries describing what
transpired. As with most things in Windows, this default behavior can be
disabled as well.

I'm not exactly sure how this trust root cert auto update behavior varies by
OS revision. It has definitely evolved over time but I can't remember which
clients and servers attempt to do exactly what by default. I believe it is
documented on TechNet though.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"John Banes" <jabanes@xxxxxxxxxxx> wrote in message
news:OvGW4VXgJHA.1288@xxxxxxxxxxxxxxxxxxxxxxx
I can think of only two reasons why the certificate validation code would
need to access the network.

1. You've enabled certificate revocation checking, and the validation code
is attempting to fetch a CRL for one or more of the certificates in the
certificate chain.

2. The validation code is attempting to retrieve an intermediate
certificate from the net, or maybe even a root certificate. This should
not be an issue if the client and server are configured correctly.

The server should be sending the end-entity certificate as well as all
intermediate certificates to the client as part of the SSL handshake. The
root certificate is not sent. If the server is not configured correctly
(e.g. the intermediate certificates are not installed) then the
intermediate certificates are not sent to the client, and the client has
to connect to the net in attempt to find them (following the AIA
extensions end-entity certificate).

The root certificate should be installed on the client machine already.
Maybe the client-side validation code will attempt to find a suitable root
certificate if it isn't installed, but I'm not too familiar with root
certificate management stuff.

What version of Windows are you running?

If you were to post your client-side certificate validation code, then
perhaps something else will come to mind.

Regards,
John

"Kenney" <Kenney@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B49AEA54-B4AC-48F0-99C6-D007C7C689A8@xxxxxxxxxxxxxxxx
Hi,

I am trying to validate the certificate chain of a server sent certifcate
during the standard SSL handshake process. Validation is successful when
the
system can access the internet, but as soon as the system is locked down
(no
internet access) I am getting "...certifcate signature could not be
verified..." along with crypt32 errors about not able to update a 3rd
Party
Serial Number.

Now I have noticed a flag CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE on the
CertGetCertificateChain which states using this flag will inhibit the
update
of 3rd party roots from the Winodws Web Server.

If I use this flag and the update is not performed will the server cert
pass
validation as it seems to do in the open environment.

Cheers,
kenney



.

Relevant Pages

  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
  • Re: Change validatiy period of a Root certificate
    ... should not have either an AIA or a CDP URL in it" But when I go to install ... my subordinate stand alone CA it asks me for a Root CA to get it's cert from. ... I picks up my newly created standalone Root CA. ... certificate, copying the certificate to removable media and then installing ...
    (microsoft.public.security)
  • Re: Smart Card Logon
    ... Is the root CA issuing the EE certs? ... The issuing CA cert goes in the NTAUTH ... > 2) Created a certificate trust list for it. ... > and validated the third party smart card logon certificate ...
    (microsoft.public.win2000.security)
  • Re: WM5 PEAP with Certificates
    ... to connect to our wireless with my Axim x51v. ... in the trusted root certificate area. ... EAP/TLS and you do need a user and root cert on the device. ...
    (microsoft.public.pocketpc.wireless)
  • TLS Verification
    ... The second option would be to write my own callback for the -commmand ... once for the ca_cert, and then once for the peer's client cert. ... Are there any other certificate validation routines I should be ...
    (comp.lang.tcl)