Re: Stand Alone CA Problem

From: Jeff Qiu (jefffqiu@online.microsoft.com)
Date: 01/06/03 

From: jefffqiu@online.microsoft.com (Jeff Qiu)
Date: Mon, 06 Jan 2003 08:04:04 GMT

HI Scott,

Due to the complexity of this issue, we are unable to assist with this
request in the newsgroups as the Partner Support newsgroups are geared
towards break-fix scenarios.

For further assistance on this issue, please contact Microsoft Product
Support Services by telephone so that a dedicated Support Professional can
assist you further with your request.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dsz%3
ben-us%3btop

Regards,

Jeff Qiu
jefffqiu@online.microsoft.com
Online Support Professional
Microsoft Corporation

This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
rights.

--------------------
>From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
<#PDdty9rCHA.1872@cpmsftngxa06> <OXxBz7CsCHA.2448@TK2MSFTNGP09>
<Yzj$vSKsCHA.2580@cpmsftngxa09>
>Subject: Re: Stand Alone CA Problem
>Date: Thu, 2 Jan 2003 12:42:38 -0800
>microsoft.public.win2000.security
>
>Using:
>Microsoft Windows 2000 Server 5.00.2195 Service Pack 3
>Microsoft Outlook 2002 (10.4608.42190) SP-2
>Microsoft Internet Explorer 6 Version 6.0.2880.1106 Update Versions: ;SP1;
>Q328970; Q324929;
>
>with all known patches and updates applied to date...
>
>
>"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
>news:Yzj$vSKsCHA.2580@cpmsftngxa09...
>> Hi Scott,
>>
>> Please let me know if you are using Internet Explorer 5. If so, I suggest
>> you download the Internet Explorer 5.5 SP2. Please visit this web site:
>> http://wwww.microsoft.com/windows/ie
>>
>> Tyler Li
>>
>> tylerli@online.microsoft.com
>> Online Support Professional
>> Microsoft Corporation
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>> --------------------
>> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>> References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
><#PDdty9rCHA.1872@cpmsftngxa06>
>> Subject: Re: Stand Alone CA Problem
>> Date: Mon, 30 Dec 2002 10:14:19 -0800
>> Lines: 210
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>> Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
>> Newsgroups: microsoft.public.win2000.security
>> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
>> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
>> Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
>> X-Tomcat-NG: microsoft.public.win2000.security
>>
>> Sorry, but I DO want the certificate to be checked against a CRL. This
>> command you referenced is undesireable
>>
>> The CRL is available in my Certificate Revocation List in the
>"Certificates"
>> Microsoft Management Console snap-in. The list is not corruped. So
>without
>> disabling checking, how does one get the certificate revocation list
>> operational within Microsoft mail clients...Outlook 2000, Outlook 2002
and
>> Outlook Express with all the latest updates and patches?
>>
>> If you don't understand what I mean I will be happy to send you an email
>> with my digital signature. Send me an email requesting it, then view the
>> certificate you see in you browser...with the security checking features
>> on...without trusting the intermediary certificate explicitly...and
having
>> the root CA of the certificate a trusted CA...I have opened up a support
>> ticket with Thawte and verified with them as well as my colleagues that
>the
>> problem is repeatable.
>>
>> My certificate is attached as
>"scott.schreckengaust@aspentech.com.cer".
>> The root CA for my certificate can be downloaded at
>> <http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL for
the
>> signing certificate can be downloaded at
>> <https://www.thawte.com/cgi/lifecylcle/roots.exe>
>>
>> The exact warning message is between the carrets ("^")
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> Warning:
>> The Certificate Revocation List needed to verify the signing certificate
>is
>> either unavailable or it has expired.
>> Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at 8:37:43
>> 11/20/2002.
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> Additionally, the Microsoft support website at
>http://support.microsoft.com/
>> only has information on how to disable the warning by not checking the
CRL
>> from keyword searches using the above warning messages.
>>
>> Anybody know how to remedy the situation?
>>
>> Thank you,
>>
>> Scott Schreckengaust
>>
>>
>>
>> "Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
>> news:#PDdty9rCHA.1872@cpmsftngxa06...
>> > Hi,
>> > This error occurs because the certificate is being checked against a
CRL
>> > (certificate revocation list). That CRL cannot be found is corrupted,
or
>> > unavailable. The certificate itself may be valid, but since it is
unable
>> to
>> > get a verified response from the CRL, the certificate appears to be
>> invalid.
>> > The command listed below tells the machine not to check against the
CRL,
>> > thus avoiding the warning message altogether.
>> > http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
>> >
>> >
>> > Tyler Li
>> >
>> > tylerli@online.microsoft.com
>> > Online Support Professional
>> > Microsoft Corporation
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> > --------------------
>> > From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>> > Subject: Re: Stand Alone CA Problem
>> > Date: Fri, 27 Dec 2002 14:34:50 -0800
>> > Lines: 93
>> > X-Priority: 3
>> > X-MSMail-Priority: Normal
>> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>> > Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
>> > Newsgroups: microsoft.public.win2000.security
>> > NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
>> > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
>> > Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
>> > X-Tomcat-NG: microsoft.public.win2000.security
>> >
>> > This temporary fix for me does not even work. Where is the
>documentation
>> > referenced below?
>> >
>> > I downloaded the CRL at https://www.thawte.com/cgi/lifecycle/roots.exe
>> that
>> > includes the "Personal Freemail RSA 2000.8.30" revocation list and
>> installed
>> > it into my certificate store, but still shows up with the same
"Warning:
>> The
>> > Certificate Revocation List needed to verify the signing certificate is
>> > either unavailable or it has expired."
>> >
>> > The signing certificate of the certificate with the warning is
"Personal
>> > Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA" (which
>is
>> in
>> > my "Trusted Root Certificate Authorities"). I agree that one should
not
>> > have change the "Inherit Trust from Issuer" to "Explicitly Trust this
>> > Certificate" if the root in the chain is a trusted CA...
>> >
>> > I have signed this message with my certificate for you to look at...
>> >
>> > -----Original Message-----
>> >
>> >
>>
>>
--------------------------------------------------------------------------
>> --
>> > ----
>> >
>> > a.. Subject: Re: Stand Alone CA Problem
>> > b.. From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
>> > c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
>> > d.. Bcc:
>> > e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
>> > <ewS9g4FQCHA.2524@tkmsftngp11>
>> > f.. Newsgroups: microsoft.public.win2000.security
>> > g.. Xref: news.uni-stuttgart.de
microsoft.public.win2000.security:8819
>> >
>>
>>
--------------------------------------------------------------------------
>> --
>> > ----
>> >
>> > This is almost always caused by network latency. OutlookXP cannot
>download
>> > the CRL from the CDP fast enough and times out.
>> >
>> > Unless the CRL is valid for a very long time (which is normally a bad
>> > security decision), your fix below is temporary. As soon as the CRL
>> expires,
>> > this behavior with reappear. If you use LDAP URLs instead of HTTP, the
>> > download is usually many times faster. There are also a few settings
>> > available around CRL download behavior and you should find all the
>details
>> > in the documentation.
>> >
>> > --
>> > Shreeniwas Kelkar,
>> > Microsoft Corp.
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> > Use of any included samples is subject to the terms specified at
>> > http://www.microsoft.com/info/cpyright.htm";
>> > --
>> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
>> > news:ewS9g4FQCHA.2524@tkmsftngp11...
>> > > To solve this problem, I downloaded the Certificate Revocation List
of
>> my
>> > CA
>> > > and imported it in my certificate store.
>> > >
>> > > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
>> > > emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
>> > > > I installed a Standalone CA for my 70++-users win2000
>> > > > local area network without any hitch. Users use OutlookXP
>> > > > as mail client. Mail encyrption and signing works well.
>> > > > However when I open security properties of an
>> > > > encrypted&signed mail, I see a warning message "The
>> > > > Certificate Revocation List needed to verify the signing
>> > > > certificate is either unavailable or it has expired."
>> > > > Besides, for the signing certificate message it says "This
>> > > > certificate is OK!" under the root CA. In the Edit Trust
>> > > > part "Inherit trust from the issuer" seems to be chosen.
>> > > > Why do I see this warning message? I wonder is there
>> > > > anythnig wrong with the CDP points, but it also seems ok,
>> > > > clients can query the CRL using HTTP. I think, I
>> > > > shouldn't have to select "Explicitly trust this
>> > > > certificate" for each certificate. Since I trust my root
>> > > > CA, to select "inherit trust from the issuer" is expected
>> > > > to work fine.
>> > > >
>> > > > Are there also any special procedures in publishing the CRL using
an
>> > ISA2K
>> > > > server?
>> > > > The reason I asked this is because I will be issuing email
>> certificates
>> > to
>> > > > users outside our win2k domain.
>> > > >
>> > > > ANY comments&feedbacks will be greatly appreciated .
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>
>
>

Relevant Pages

  • Re: Stand Alone CA Problem
    ... but everything I saw was for paid support. ... Microsoft responsible for the digital signature area instead. ... but I DO want the certificate to be checked against a CRL. ...
    (microsoft.public.win2000.security)
  • RE: netsh error - 1312
    ... \par Running the example from the article I was able to create the certificate ... \par Scott Norberg ... \par> Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Certsrv and Autoenrollment problem
    ... logic to my problem and loaded ADSIEdit from the support tools. ... V1 Certificate Template could not be loaded. ... > Certificate Services denied request 469 because The requested certificate ...
    (microsoft.public.windows.server.sbs)
  • Re: American Currency
    ... but a leaning to the left does not support that there is one. ... but that does not create evidence for the claim Obama was born ... And this will all depend on IF the supreme court will even try ... And you'll notice that he did provide his birth certificate too. ...
    (comp.sys.mac.advocacy)
  • Re: 0x80072f17 - Cert problem?
    ... after changing to a third-party certificate created by an Intermediate CA, ... cert for my CA? ... I am getting the same support code: ... In Windows Mobile 5.0 it's easier. ...
    (microsoft.public.pocketpc.activesync)