Re: Stand Alone CA Problem

From: Tyler Li [MS] (tylerli@online.microsoft.com)
Date: 12/31/02 

From: tylerli@online.microsoft.com (Tyler Li [MS])
Date: Tue, 31 Dec 2002 08:15:45 GMT

Hi Scott,

Please let me know if you are using Internet Explorer 5. If so, I suggest
you download the Internet Explorer 5.5 SP2. Please visit this web site:
http://wwww.microsoft.com/windows/ie

Tyler Li

tylerli@online.microsoft.com
Online Support Professional
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
References: <OlR4TffrCHA.2488@TK2MSFTNGP12> <#PDdty9rCHA.1872@cpmsftngxa06>
Subject: Re: Stand Alone CA Problem
Date: Mon, 30 Dec 2002 10:14:19 -0800
Lines: 210
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
Newsgroups: microsoft.public.win2000.security
NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
X-Tomcat-NG: microsoft.public.win2000.security

Sorry, but I DO want the certificate to be checked against a CRL. This
command you referenced is undesireable

The CRL is available in my Certificate Revocation List in the "Certificates"
Microsoft Management Console snap-in. The list is not corruped. So without
disabling checking, how does one get the certificate revocation list
operational within Microsoft mail clients...Outlook 2000, Outlook 2002 and
Outlook Express with all the latest updates and patches?

If you don't understand what I mean I will be happy to send you an email
with my digital signature. Send me an email requesting it, then view the
certificate you see in you browser...with the security checking features
on...without trusting the intermediary certificate explicitly...and having
the root CA of the certificate a trusted CA...I have opened up a support
ticket with Thawte and verified with them as well as my colleagues that the
problem is repeatable.

    My certificate is attached as "scott.schreckengaust@aspentech.com.cer".
The root CA for my certificate can be downloaded at
<http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL for the
signing certificate can be downloaded at
<https://www.thawte.com/cgi/lifecylcle/roots.exe>

The exact warning message is between the carrets ("^")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Warning:
The Certificate Revocation List needed to verify the signing certificate is
either unavailable or it has expired.
Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at 8:37:43
11/20/2002.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Additionally, the Microsoft support website at http://support.microsoft.com/
only has information on how to disable the warning by not checking the CRL
from keyword searches using the above warning messages.

Anybody know how to remedy the situation?

Thank you,

Scott Schreckengaust

"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
news:#PDdty9rCHA.1872@cpmsftngxa06...
> Hi,
> This error occurs because the certificate is being checked against a CRL
> (certificate revocation list). That CRL cannot be found is corrupted, or
> unavailable. The certificate itself may be valid, but since it is unable
to
> get a verified response from the CRL, the certificate appears to be
invalid.
> The command listed below tells the machine not to check against the CRL,
> thus avoiding the warning message altogether.
> http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
>
>
> Tyler Li
>
> tylerli@online.microsoft.com
> Online Support Professional
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> Subject: Re: Stand Alone CA Problem
> Date: Fri, 27 Dec 2002 14:34:50 -0800
> Lines: 93
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> Newsgroups: microsoft.public.win2000.security
> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
> Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
> X-Tomcat-NG: microsoft.public.win2000.security
>
> This temporary fix for me does not even work. Where is the documentation
> referenced below?
>
> I downloaded the CRL at https://www.thawte.com/cgi/lifecycle/roots.exe
that
> includes the "Personal Freemail RSA 2000.8.30" revocation list and
installed
> it into my certificate store, but still shows up with the same "Warning:
The
> Certificate Revocation List needed to verify the signing certificate is
> either unavailable or it has expired."
>
> The signing certificate of the certificate with the warning is "Personal
> Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA" (which is
in
> my "Trusted Root Certificate Authorities"). I agree that one should not
> have change the "Inherit Trust from Issuer" to "Explicitly Trust this
> Certificate" if the root in the chain is a trusted CA...
>
> I have signed this message with my certificate for you to look at...
>
> -----Original Message-----
>
>
> -------------------------------------------------------------------------- 

--
> ----
>
>   a.. Subject: Re: Stand Alone CA Problem
>   b.. From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
>   c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
>   d.. Bcc:
>   e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
> <ewS9g4FQCHA.2524@tkmsftngp11>
>   f.. Newsgroups: microsoft.public.win2000.security
>   g.. Xref: news.uni-stuttgart.de microsoft.public.win2000.security:8819
>
> --------------------------------------------------------------------------
--
> ----
>
> This is almost always caused by network latency. OutlookXP cannot download
> the CRL from the CDP fast enough and times out.
>
> Unless the CRL is valid for a very long time (which is normally a bad
> security decision), your fix below is temporary. As soon as the CRL
expires,
> this behavior with reappear. If you use LDAP URLs instead of HTTP, the
> download is usually many times faster. There are also a few settings
> available around CRL download behavior and you should find all the details
> in the documentation.
>
> --
> Shreeniwas Kelkar,
> Microsoft Corp.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of any included samples is subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm";
> --
> "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> news:ewS9g4FQCHA.2524@tkmsftngp11...
> > To solve this problem, I downloaded the Certificate Revocation List of
my
> CA
> > and imported it in my certificate store.
> >
> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> > emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
> > > I installed a Standalone CA for my 70++-users win2000
> > > local area network without any hitch. Users use OutlookXP
> > > as mail client. Mail encyrption and signing works well.
> > > However when I open security properties of an
> > > encrypted&signed mail, I see a warning message "The
> > > Certificate Revocation List needed to verify the signing
> > > certificate is either unavailable or it has expired."
> > > Besides, for the signing certificate message it says "This
> > > certificate is OK!" under the root CA. In the Edit Trust
> > > part "Inherit trust from the issuer" seems to be chosen.
> > > Why do I see this warning message? I wonder is there
> > > anythnig wrong with the CDP points, but it also seems ok,
> > > clients can query the CRL using HTTP. I think, I
> > > shouldn't have to select "Explicitly trust this
> > > certificate" for each certificate. Since I trust my root
> > > CA, to select "inherit trust from the issuer" is expected
> > > to work fine.
> > >
> > > Are there also any special procedures in publishing the CRL using an
> ISA2K
> > > server?
> > > The reason I asked this is because I will be issuing email
certificates
> to
> > > users outside our win2k domain.
> > >
> > > ANY comments&feedbacks will be greatly appreciated .
> > >
> > >
> >
> >
>
>
>
>

Relevant Pages

  • Re: Stand Alone CA Problem
    ... > the CRL from the CDP fast enough and times out. ... > download is usually many times faster. ... >> and imported it in my certificate store. ...
    (microsoft.public.win2000.security)
  • Re: Stand Alone CA Problem
    ... Unless the CRL is valid for a very long time (which is normally a bad ... download is usually many times faster. ... > and imported it in my certificate store. ... In the Edit Trust ...
    (microsoft.public.win2000.security)
  • Re: Problem in running .Net Service on a Quad Processor
    ... A simple solution to the CRL check overhead is to use authenticode ... I set the value of the registry value 'State' under the following ... Are you running/loading Certificate assigned assemblies? ... you did disable the download of CRL's for the whole system. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Thawte Digital Certificate Revocation List Issue
    ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
    (microsoft.public.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)