Re: Stand Alone CA Problem
From: Scott Schreckengaust (scott.schreckengaust@aspentech.com)
Date: 01/07/03
- Next message: Brandon: "Sharing Folders with Windows 2000"
- Previous message: Mike Klick: "Is terminal server secure?"
- In reply to: Jeff Qiu: "Re: Stand Alone CA Problem"
- Next in thread: Jeff Qiu: "Re: Stand Alone CA Problem"
- Reply: Jeff Qiu: "Re: Stand Alone CA Problem"
- Reply: Jennifer Lesher [MSFT]: "Re: Stand Alone CA Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com> Date: Tue, 7 Jan 2003 11:24:15 -0800
I searched high and low, but everything I saw was for paid support. Since
this issue is repeatable, duplicatable and not working as feature
designed...please forward me a link to submit a bug to the group at
Microsoft responsible for the digital signature area instead. At minimum I
will expect a Knowledge Base article claiming that the feature does not
work...
"Jeff Qiu" <jefffqiu@online.microsoft.com> wrote in message
news:qIq6voVtCHA.3284@cpmsftngxa06...
> HI Scott,
>
> Due to the complexity of this issue, we are unable to assist with this
> request in the newsgroups as the Partner Support newsgroups are geared
> towards break-fix scenarios.
>
> For further assistance on this issue, please contact Microsoft Product
> Support Services by telephone so that a dedicated Support Professional can
> assist you further with your request.
>
> To obtain the phone numbers for specific technology request please take a
> look at the web site listed below.
>
>
http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dsz%3
> ben-us%3btop
>
> Regards,
>
> Jeff Qiu
> jefffqiu@online.microsoft.com
> Online Support Professional
> Microsoft Corporation
>
> This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
> rights.
>
> --------------------
> >From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> >References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> <#PDdty9rCHA.1872@cpmsftngxa06> <OXxBz7CsCHA.2448@TK2MSFTNGP09>
> <Yzj$vSKsCHA.2580@cpmsftngxa09>
> >Subject: Re: Stand Alone CA Problem
> >Date: Thu, 2 Jan 2003 12:42:38 -0800
> >microsoft.public.win2000.security
> >
> >Using:
> >Microsoft Windows 2000 Server 5.00.2195 Service Pack 3
> >Microsoft Outlook 2002 (10.4608.42190) SP-2
> >Microsoft Internet Explorer 6 Version 6.0.2880.1106 Update Versions:
;SP1;
> >Q328970; Q324929;
> >
> >with all known patches and updates applied to date...
> >
> >
> >"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
> >news:Yzj$vSKsCHA.2580@cpmsftngxa09...
> >> Hi Scott,
> >>
> >> Please let me know if you are using Internet Explorer 5. If so, I
suggest
> >> you download the Internet Explorer 5.5 SP2. Please visit this web site:
> >> http://wwww.microsoft.com/windows/ie
> >>
> >> Tyler Li
> >>
> >> tylerli@online.microsoft.com
> >> Online Support Professional
> >> Microsoft Corporation
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >rights.
> >> --------------------
> >> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> >> References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> ><#PDdty9rCHA.1872@cpmsftngxa06>
> >> Subject: Re: Stand Alone CA Problem
> >> Date: Mon, 30 Dec 2002 10:14:19 -0800
> >> Lines: 210
> >> X-Priority: 3
> >> X-MSMail-Priority: Normal
> >> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >> Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
> >> Newsgroups: microsoft.public.win2000.security
> >> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> >> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
> >> Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
> >> X-Tomcat-NG: microsoft.public.win2000.security
> >>
> >> Sorry, but I DO want the certificate to be checked against a CRL. This
> >> command you referenced is undesireable
> >>
> >> The CRL is available in my Certificate Revocation List in the
> >"Certificates"
> >> Microsoft Management Console snap-in. The list is not corruped. So
> >without
> >> disabling checking, how does one get the certificate revocation list
> >> operational within Microsoft mail clients...Outlook 2000, Outlook 2002
> and
> >> Outlook Express with all the latest updates and patches?
> >>
> >> If you don't understand what I mean I will be happy to send you an
email
> >> with my digital signature. Send me an email requesting it, then view
the
> >> certificate you see in you browser...with the security checking
features
> >> on...without trusting the intermediary certificate explicitly...and
> having
> >> the root CA of the certificate a trusted CA...I have opened up a
support
> >> ticket with Thawte and verified with them as well as my colleagues that
> >the
> >> problem is repeatable.
> >>
> >> My certificate is attached as
> >"scott.schreckengaust@aspentech.com.cer".
> >> The root CA for my certificate can be downloaded at
> >> <http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL for
> the
> >> signing certificate can be downloaded at
> >> <https://www.thawte.com/cgi/lifecylcle/roots.exe>
> >>
> >> The exact warning message is between the carrets ("^")
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >> Warning:
> >> The Certificate Revocation List needed to verify the signing
certificate
> >is
> >> either unavailable or it has expired.
> >> Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at 8:37:43
> >> 11/20/2002.
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>
> >> Additionally, the Microsoft support website at
> >http://support.microsoft.com/
> >> only has information on how to disable the warning by not checking the
> CRL
> >> from keyword searches using the above warning messages.
> >>
> >> Anybody know how to remedy the situation?
> >>
> >> Thank you,
> >>
> >> Scott Schreckengaust
> >>
> >>
> >>
> >> "Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
> >> news:#PDdty9rCHA.1872@cpmsftngxa06...
> >> > Hi,
> >> > This error occurs because the certificate is being checked against a
> CRL
> >> > (certificate revocation list). That CRL cannot be found is corrupted,
> or
> >> > unavailable. The certificate itself may be valid, but since it is
> unable
> >> to
> >> > get a verified response from the CRL, the certificate appears to be
> >> invalid.
> >> > The command listed below tells the machine not to check against the
> CRL,
> >> > thus avoiding the warning message altogether.
> >> > http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
> >> >
> >> >
> >> > Tyler Li
> >> >
> >> > tylerli@online.microsoft.com
> >> > Online Support Professional
> >> > Microsoft Corporation
> >> >
> >> > This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> > --------------------
> >> > From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> >> > Subject: Re: Stand Alone CA Problem
> >> > Date: Fri, 27 Dec 2002 14:34:50 -0800
> >> > Lines: 93
> >> > X-Priority: 3
> >> > X-MSMail-Priority: Normal
> >> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >> > Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> >> > Newsgroups: microsoft.public.win2000.security
> >> > NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> >> > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
> >> > Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
> >> > X-Tomcat-NG: microsoft.public.win2000.security
> >> >
> >> > This temporary fix for me does not even work. Where is the
> >documentation
> >> > referenced below?
> >> >
> >> > I downloaded the CRL at
https://www.thawte.com/cgi/lifecycle/roots.exe
> >> that
> >> > includes the "Personal Freemail RSA 2000.8.30" revocation list and
> >> installed
> >> > it into my certificate store, but still shows up with the same
> "Warning:
> >> The
> >> > Certificate Revocation List needed to verify the signing certificate
is
> >> > either unavailable or it has expired."
> >> >
> >> > The signing certificate of the certificate with the warning is
> "Personal
> >> > Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA"
(which
> >is
> >> in
> >> > my "Trusted Root Certificate Authorities"). I agree that one should
> not
> >> > have change the "Inherit Trust from Issuer" to "Explicitly Trust this
> >> > Certificate" if the root in the chain is a trusted CA...
> >> >
> >> > I have signed this message with my certificate for you to look at...
> >> >
> >> > -----Original Message-----
> >> >
> >> >
> >>
> >>
> --------------------------------------------------------------------------
> >> --
> >> > ----
> >> >
> >> > a.. Subject: Re: Stand Alone CA Problem
> >> > b.. From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
> >> > c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
> >> > d.. Bcc:
> >> > e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
> >> > <ewS9g4FQCHA.2524@tkmsftngp11>
> >> > f.. Newsgroups: microsoft.public.win2000.security
> >> > g.. Xref: news.uni-stuttgart.de
> microsoft.public.win2000.security:8819
> >> >
> >>
> >>
> --------------------------------------------------------------------------
> >> --
> >> > ----
> >> >
> >> > This is almost always caused by network latency. OutlookXP cannot
> >download
> >> > the CRL from the CDP fast enough and times out.
> >> >
> >> > Unless the CRL is valid for a very long time (which is normally a bad
> >> > security decision), your fix below is temporary. As soon as the CRL
> >> expires,
> >> > this behavior with reappear. If you use LDAP URLs instead of HTTP,
the
> >> > download is usually many times faster. There are also a few settings
> >> > available around CRL download behavior and you should find all the
> >details
> >> > in the documentation.
> >> >
> >> > --
> >> > Shreeniwas Kelkar,
> >> > Microsoft Corp.
> >> >
> >> > This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> > Use of any included samples is subject to the terms specified at
> >> > http://www.microsoft.com/info/cpyright.htm";
> >> > --
> >> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> >> > news:ewS9g4FQCHA.2524@tkmsftngp11...
> >> > > To solve this problem, I downloaded the Certificate Revocation List
> of
> >> my
> >> > CA
> >> > > and imported it in my certificate store.
> >> > >
> >> > > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> >> > > emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
> >> > > > I installed a Standalone CA for my 70++-users win2000
> >> > > > local area network without any hitch. Users use OutlookXP
> >> > > > as mail client. Mail encyrption and signing works well.
> >> > > > However when I open security properties of an
> >> > > > encrypted&signed mail, I see a warning message "The
> >> > > > Certificate Revocation List needed to verify the signing
> >> > > > certificate is either unavailable or it has expired."
> >> > > > Besides, for the signing certificate message it says "This
> >> > > > certificate is OK!" under the root CA. In the Edit Trust
> >> > > > part "Inherit trust from the issuer" seems to be chosen.
> >> > > > Why do I see this warning message? I wonder is there
> >> > > > anythnig wrong with the CDP points, but it also seems ok,
> >> > > > clients can query the CRL using HTTP. I think, I
> >> > > > shouldn't have to select "Explicitly trust this
> >> > > > certificate" for each certificate. Since I trust my root
> >> > > > CA, to select "inherit trust from the issuer" is expected
> >> > > > to work fine.
> >> > > >
> >> > > > Are there also any special procedures in publishing the CRL using
> an
> >> > ISA2K
> >> > > > server?
> >> > > > The reason I asked this is because I will be issuing email
> >> certificates
> >> > to
> >> > > > users outside our win2k domain.
> >> > > >
> >> > > > ANY comments&feedbacks will be greatly appreciated .
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >>
> >
> >
> >
>
- Next message: Brandon: "Sharing Folders with Windows 2000"
- Previous message: Mike Klick: "Is terminal server secure?"
- In reply to: Jeff Qiu: "Re: Stand Alone CA Problem"
- Next in thread: Jeff Qiu: "Re: Stand Alone CA Problem"
- Reply: Jeff Qiu: "Re: Stand Alone CA Problem"
- Reply: Jennifer Lesher [MSFT]: "Re: Stand Alone CA Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
