Re: Schannel CertificateChainValidation failing

It is really helpful to try to get at least a base knowledge of certificates and PKI, especially with regards to all the components in chain verification, if you are going to be working with SSL in any detail. You might benefit by starting with some the Wikipedia material. They generally have some good high level intro stuff that won't take a ton of time to read.

Generally speaking, chain verification can be done locally and does not require network connectivity. However, there are four exceptions to this:
- If revocation checking is enabled and any cert in the chain includes a CDP extension, the client may attempt to connect to the published CDP location (or locations) to retrieve a CRL object if it does not already have a valid one cached locally
- If any cert includes AIA extensions, the client may try to retrieve the issuing certificate for that cert via the published AIA location. This is especially true if the cert is not provided by the server and is not installed locally on the client.
- Some clients may also attempt to verify revocation status via OCSP if the client supports this protocol, revocation checking is enabled and any cert in the chain includes an OCSP location in the AIA extension. Note that OCSP client support is pretty new in Windows (Vista/2K8).
- Windows may attempt to retrieve new trusted roots from Windows Update if a trusted root certificate is referenced by an issuing certificate in the chain and that trusted root is not installed locally already (as previously discussed)

I hope that helps a bit more.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Kenney" <Kenney@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:82E2C26E-01B6-47B1-A49D-338CE486AC58@xxxxxxxxxxxxxxxx
Thanks John and Joe. I am not fully up to speed with certs (root, end entity,
intermediate and validation of) but you have made me more aware of what i
should be looking for.

Thanks again,
Kenney


.

Relevant Pages

  • Re: Radius Server
    ... > so I'm guessing the client needs the Server Certificate, ... > export it from the server and import it to the client. ... >> But if you deployed EAP-TLS, you need a server cert and a client ...
    (microsoft.public.windows.server.networking)
  • Re: OWA Form Resetting
    ... Depends on the client browsers... ... The reason why you are getting alerts regarding the certificate being ... both the ISA server computer as well as the external ... I can view the cert and the certs ...
    (microsoft.public.isa)
  • Re: Crypto iffpar
    ... I reconfigured my test client to be a "strict client" (to use your ... > and 0x1 (meaning trusted cert) on server cryptostats. ... | The certificate signature has been verified. ...
    (comp.protocols.time.ntp)
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Guess that means im not gettin anything so it must be my client or router. ... you could try updating the NIC drivers on the wireless ... I can see on a client machine that the cert is there and it is the ...
    (microsoft.public.windows.server.sbs)
  • Re: Somewhat Urgent - Exchange 2007 Configuration Question
    ... public cert> ... to resolved the internal / external certificate issue. ... for "Exchange" so Outlook clients no longer get the certificate warning. ... The client computers having this issue are located across a security ...
    (microsoft.public.exchange.admin)