Re: Stand Alone CA Problem
From: Scott Schreckengaust (scott.schreckengaust@aspentech.com)
Date: 01/02/03
- Next message: Doug Haney: "documenting user rights on servers"
- Previous message: rfrescura: "access denied"
- In reply to: Tyler Li [MS]: "Re: Stand Alone CA Problem"
- Next in thread: Jeff Qiu: "Re: Stand Alone CA Problem"
- Reply: Jeff Qiu: "Re: Stand Alone CA Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com> Date: Thu, 2 Jan 2003 12:42:38 -0800
Using:
Microsoft Windows 2000 Server 5.00.2195 Service Pack 3
Microsoft Outlook 2002 (10.4608.42190) SP-2
Microsoft Internet Explorer 6 Version 6.0.2880.1106 Update Versions: ;SP1;
Q328970; Q324929;
with all known patches and updates applied to date...
"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
news:Yzj$vSKsCHA.2580@cpmsftngxa09...
> Hi Scott,
>
> Please let me know if you are using Internet Explorer 5. If so, I suggest
> you download the Internet Explorer 5.5 SP2. Please visit this web site:
> http://wwww.microsoft.com/windows/ie
>
> Tyler Li
>
> tylerli@online.microsoft.com
> Online Support Professional
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
<#PDdty9rCHA.1872@cpmsftngxa06>
> Subject: Re: Stand Alone CA Problem
> Date: Mon, 30 Dec 2002 10:14:19 -0800
> Lines: 210
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
> Newsgroups: microsoft.public.win2000.security
> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
> Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
> X-Tomcat-NG: microsoft.public.win2000.security
>
> Sorry, but I DO want the certificate to be checked against a CRL. This
> command you referenced is undesireable
>
> The CRL is available in my Certificate Revocation List in the
"Certificates"
> Microsoft Management Console snap-in. The list is not corruped. So
without
> disabling checking, how does one get the certificate revocation list
> operational within Microsoft mail clients...Outlook 2000, Outlook 2002 and
> Outlook Express with all the latest updates and patches?
>
> If you don't understand what I mean I will be happy to send you an email
> with my digital signature. Send me an email requesting it, then view the
> certificate you see in you browser...with the security checking features
> on...without trusting the intermediary certificate explicitly...and having
> the root CA of the certificate a trusted CA...I have opened up a support
> ticket with Thawte and verified with them as well as my colleagues that
the
> problem is repeatable.
>
> My certificate is attached as
"scott.schreckengaust@aspentech.com.cer".
> The root CA for my certificate can be downloaded at
> <http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL for the
> signing certificate can be downloaded at
> <https://www.thawte.com/cgi/lifecylcle/roots.exe>
>
> The exact warning message is between the carrets ("^")
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Warning:
> The Certificate Revocation List needed to verify the signing certificate
is
> either unavailable or it has expired.
> Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at 8:37:43
> 11/20/2002.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Additionally, the Microsoft support website at
http://support.microsoft.com/
> only has information on how to disable the warning by not checking the CRL
> from keyword searches using the above warning messages.
>
> Anybody know how to remedy the situation?
>
> Thank you,
>
> Scott Schreckengaust
>
>
>
> "Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
> news:#PDdty9rCHA.1872@cpmsftngxa06...
> > Hi,
> > This error occurs because the certificate is being checked against a CRL
> > (certificate revocation list). That CRL cannot be found is corrupted, or
> > unavailable. The certificate itself may be valid, but since it is unable
> to
> > get a verified response from the CRL, the certificate appears to be
> invalid.
> > The command listed below tells the machine not to check against the CRL,
> > thus avoiding the warning message altogether.
> > http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
> >
> >
> > Tyler Li
> >
> > tylerli@online.microsoft.com
> > Online Support Professional
> > Microsoft Corporation
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > --------------------
> > From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> > Subject: Re: Stand Alone CA Problem
> > Date: Fri, 27 Dec 2002 14:34:50 -0800
> > Lines: 93
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> > Newsgroups: microsoft.public.win2000.security
> > NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
> > Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
> > X-Tomcat-NG: microsoft.public.win2000.security
> >
> > This temporary fix for me does not even work. Where is the
documentation
> > referenced below?
> >
> > I downloaded the CRL at https://www.thawte.com/cgi/lifecycle/roots.exe
> that
> > includes the "Personal Freemail RSA 2000.8.30" revocation list and
> installed
> > it into my certificate store, but still shows up with the same "Warning:
> The
> > Certificate Revocation List needed to verify the signing certificate is
> > either unavailable or it has expired."
> >
> > The signing certificate of the certificate with the warning is "Personal
> > Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA" (which
is
> in
> > my "Trusted Root Certificate Authorities"). I agree that one should not
> > have change the "Inherit Trust from Issuer" to "Explicitly Trust this
> > Certificate" if the root in the chain is a trusted CA...
> >
> > I have signed this message with my certificate for you to look at...
> >
> > -----Original Message-----
> >
> >
>
> --------------------------------------------------------------------------
> --
> > ----
> >
> > a.. Subject: Re: Stand Alone CA Problem
> > b.. From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
> > c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
> > d.. Bcc:
> > e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
> > <ewS9g4FQCHA.2524@tkmsftngp11>
> > f.. Newsgroups: microsoft.public.win2000.security
> > g.. Xref: news.uni-stuttgart.de microsoft.public.win2000.security:8819
> >
>
> --------------------------------------------------------------------------
> --
> > ----
> >
> > This is almost always caused by network latency. OutlookXP cannot
download
> > the CRL from the CDP fast enough and times out.
> >
> > Unless the CRL is valid for a very long time (which is normally a bad
> > security decision), your fix below is temporary. As soon as the CRL
> expires,
> > this behavior with reappear. If you use LDAP URLs instead of HTTP, the
> > download is usually many times faster. There are also a few settings
> > available around CRL download behavior and you should find all the
details
> > in the documentation.
> >
> > --
> > Shreeniwas Kelkar,
> > Microsoft Corp.
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of any included samples is subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm";
> > --
> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> > news:ewS9g4FQCHA.2524@tkmsftngp11...
> > > To solve this problem, I downloaded the Certificate Revocation List of
> my
> > CA
> > > and imported it in my certificate store.
> > >
> > > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> > > emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
> > > > I installed a Standalone CA for my 70++-users win2000
> > > > local area network without any hitch. Users use OutlookXP
> > > > as mail client. Mail encyrption and signing works well.
> > > > However when I open security properties of an
> > > > encrypted&signed mail, I see a warning message "The
> > > > Certificate Revocation List needed to verify the signing
> > > > certificate is either unavailable or it has expired."
> > > > Besides, for the signing certificate message it says "This
> > > > certificate is OK!" under the root CA. In the Edit Trust
> > > > part "Inherit trust from the issuer" seems to be chosen.
> > > > Why do I see this warning message? I wonder is there
> > > > anythnig wrong with the CDP points, but it also seems ok,
> > > > clients can query the CRL using HTTP. I think, I
> > > > shouldn't have to select "Explicitly trust this
> > > > certificate" for each certificate. Since I trust my root
> > > > CA, to select "inherit trust from the issuer" is expected
> > > > to work fine.
> > > >
> > > > Are there also any special procedures in publishing the CRL using an
> > ISA2K
> > > > server?
> > > > The reason I asked this is because I will be issuing email
> certificates
> > to
> > > > users outside our win2k domain.
> > > >
> > > > ANY comments&feedbacks will be greatly appreciated .
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
>
>
>
>
- Next message: Doug Haney: "documenting user rights on servers"
- Previous message: rfrescura: "access denied"
- In reply to: Tyler Li [MS]: "Re: Stand Alone CA Problem"
- Next in thread: Jeff Qiu: "Re: Stand Alone CA Problem"
- Reply: Jeff Qiu: "Re: Stand Alone CA Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
