Re: Stand Alone CA Problem

From: Jeff Qiu (jefffqiu@online.microsoft.com)
Date: 01/08/03 

From: jefffqiu@online.microsoft.com (Jeff Qiu)
Date: Wed, 08 Jan 2003 02:22:03 GMT

Hi Scott,

You may send e-mail to the following address to report the issue:

feedback@microsoft.com

Regards,

Jeff Qiu
jefffqiu@online.microsoft.com
Online Support Professional
Microsoft Corporation

This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
rights.

--------------------
>From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>Subject: Re: Stand Alone CA Problem
>Date: Tue, 7 Jan 2003 11:24:15 -0800
>microsoft.public.win2000.security
>
>I searched high and low, but everything I saw was for paid support. Since
>this issue is repeatable, duplicatable and not working as feature
>designed...please forward me a link to submit a bug to the group at
>Microsoft responsible for the digital signature area instead. At minimum I
>will expect a Knowledge Base article claiming that the feature does not
>work...
>
>"Jeff Qiu" <jefffqiu@online.microsoft.com> wrote in message
>news:qIq6voVtCHA.3284@cpmsftngxa06...
>> HI Scott,
>>
>> Due to the complexity of this issue, we are unable to assist with this
>> request in the newsgroups as the Partner Support newsgroups are geared
>> towards break-fix scenarios.
>>
>> For further assistance on this issue, please contact Microsoft Product
>> Support Services by telephone so that a dedicated Support Professional
can
>> assist you further with your request.
>>
>> To obtain the phone numbers for specific technology request please take a
>> look at the web site listed below.
>>
>>
>http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dsz%
3
>> ben-us%3btop
>>
>> Regards,
>>
>> Jeff Qiu
>> jefffqiu@online.microsoft.com
>> Online Support Professional
>> Microsoft Corporation
>>
>> This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
>> rights.
>>
>> --------------------
>> >From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>> >References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
>> <#PDdty9rCHA.1872@cpmsftngxa06> <OXxBz7CsCHA.2448@TK2MSFTNGP09>
>> <Yzj$vSKsCHA.2580@cpmsftngxa09>
>> >Subject: Re: Stand Alone CA Problem
>> >Date: Thu, 2 Jan 2003 12:42:38 -0800
>> >microsoft.public.win2000.security
>> >
>> >Using:
>> >Microsoft Windows 2000 Server 5.00.2195 Service Pack 3
>> >Microsoft Outlook 2002 (10.4608.42190) SP-2
>> >Microsoft Internet Explorer 6 Version 6.0.2880.1106 Update Versions:
>;SP1;
>> >Q328970; Q324929;
>> >
>> >with all known patches and updates applied to date...
>> >
>> >
>> >"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
>> >news:Yzj$vSKsCHA.2580@cpmsftngxa09...
>> >> Hi Scott,
>> >>
>> >> Please let me know if you are using Internet Explorer 5. If so, I
>suggest
>> >> you download the Internet Explorer 5.5 SP2. Please visit this web
site:
>> >> http://wwww.microsoft.com/windows/ie
>> >>
>> >> Tyler Li
>> >>
>> >> tylerli@online.microsoft.com
>> >> Online Support Professional
>> >> Microsoft Corporation
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >rights.
>> >> --------------------
>> >> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>> >> References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
>> ><#PDdty9rCHA.1872@cpmsftngxa06>
>> >> Subject: Re: Stand Alone CA Problem
>> >> Date: Mon, 30 Dec 2002 10:14:19 -0800
>> >> Lines: 210
>> >> X-Priority: 3
>> >> X-MSMail-Priority: Normal
>> >> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>> >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>> >> Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
>> >> Newsgroups: microsoft.public.win2000.security
>> >> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
>> >> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
>> >> Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
>> >> X-Tomcat-NG: microsoft.public.win2000.security
>> >>
>> >> Sorry, but I DO want the certificate to be checked against a CRL.
This
>> >> command you referenced is undesireable
>> >>
>> >> The CRL is available in my Certificate Revocation List in the
>> >"Certificates"
>> >> Microsoft Management Console snap-in. The list is not corruped. So
>> >without
>> >> disabling checking, how does one get the certificate revocation list
>> >> operational within Microsoft mail clients...Outlook 2000, Outlook 2002
>> and
>> >> Outlook Express with all the latest updates and patches?
>> >>
>> >> If you don't understand what I mean I will be happy to send you an
>email
>> >> with my digital signature. Send me an email requesting it, then view
>the
>> >> certificate you see in you browser...with the security checking
>features
>> >> on...without trusting the intermediary certificate explicitly...and
>> having
>> >> the root CA of the certificate a trusted CA...I have opened up a
>support
>> >> ticket with Thawte and verified with them as well as my colleagues
that
>> >the
>> >> problem is repeatable.
>> >>
>> >> My certificate is attached as
>> >"scott.schreckengaust@aspentech.com.cer".
>> >> The root CA for my certificate can be downloaded at
>> >> <http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL for
>> the
>> >> signing certificate can be downloaded at
>> >> <https://www.thawte.com/cgi/lifecylcle/roots.exe>
>> >>
>> >> The exact warning message is between the carrets ("^")
>> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> >> Warning:
>> >> The Certificate Revocation List needed to verify the signing
>certificate
>> >is
>> >> either unavailable or it has expired.
>> >> Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at 8:37:43
>> >> 11/20/2002.
>> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> >>
>> >> Additionally, the Microsoft support website at
>> >http://support.microsoft.com/
>> >> only has information on how to disable the warning by not checking the
>> CRL
>> >> from keyword searches using the above warning messages.
>> >>
>> >> Anybody know how to remedy the situation?
>> >>
>> >> Thank you,
>> >>
>> >> Scott Schreckengaust
>> >>
>> >>
>> >>
>> >> "Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
>> >> news:#PDdty9rCHA.1872@cpmsftngxa06...
>> >> > Hi,
>> >> > This error occurs because the certificate is being checked against a
>> CRL
>> >> > (certificate revocation list). That CRL cannot be found is
corrupted,
>> or
>> >> > unavailable. The certificate itself may be valid, but since it is
>> unable
>> >> to
>> >> > get a verified response from the CRL, the certificate appears to be
>> >> invalid.
>> >> > The command listed below tells the machine not to check against the
>> CRL,
>> >> > thus avoiding the warning message altogether.
>> >> > http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
>> >> >
>> >> >
>> >> > Tyler Li
>> >> >
>> >> > tylerli@online.microsoft.com
>> >> > Online Support Professional
>> >> > Microsoft Corporation
>> >> >
>> >> > This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> > --------------------
>> >> > From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
>> >> > Subject: Re: Stand Alone CA Problem
>> >> > Date: Fri, 27 Dec 2002 14:34:50 -0800
>> >> > Lines: 93
>> >> > X-Priority: 3
>> >> > X-MSMail-Priority: Normal
>> >> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>> >> > Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
>> >> > Newsgroups: microsoft.public.win2000.security
>> >> > NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
>> >> > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
>> >> > Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
>> >> > X-Tomcat-NG: microsoft.public.win2000.security
>> >> >
>> >> > This temporary fix for me does not even work. Where is the
>> >documentation
>> >> > referenced below?
>> >> >
>> >> > I downloaded the CRL at
>https://www.thawte.com/cgi/lifecycle/roots.exe
>> >> that
>> >> > includes the "Personal Freemail RSA 2000.8.30" revocation list and
>> >> installed
>> >> > it into my certificate store, but still shows up with the same
>> "Warning:
>> >> The
>> >> > Certificate Revocation List needed to verify the signing certificate
>is
>> >> > either unavailable or it has expired."
>> >> >
>> >> > The signing certificate of the certificate with the warning is
>> "Personal
>> >> > Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA"
>(which
>> >is
>> >> in
>> >> > my "Trusted Root Certificate Authorities"). I agree that one should
>> not
>> >> > have change the "Inherit Trust from Issuer" to "Explicitly Trust
this
>> >> > Certificate" if the root in the chain is a trusted CA...
>> >> >
>> >> > I have signed this message with my certificate for you to look at...
>> >> >
>> >> > -----Original Message-----
>> >> >
>> >> >
>> >>
>> >>
>>
--------------------------------------------------------------------------
>> >> --
>> >> > ----
>> >> >
>> >> > a.. Subject: Re: Stand Alone CA Problem
>> >> > b.. From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
>> >> > c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
>> >> > d.. Bcc:
>> >> > e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
>> >> > <ewS9g4FQCHA.2524@tkmsftngp11>
>> >> > f.. Newsgroups: microsoft.public.win2000.security
>> >> > g.. Xref: news.uni-stuttgart.de
>> microsoft.public.win2000.security:8819
>> >> >
>> >>
>> >>
>>
--------------------------------------------------------------------------
>> >> --
>> >> > ----
>> >> >
>> >> > This is almost always caused by network latency. OutlookXP cannot
>> >download
>> >> > the CRL from the CDP fast enough and times out.
>> >> >
>> >> > Unless the CRL is valid for a very long time (which is normally a
bad
>> >> > security decision), your fix below is temporary. As soon as the CRL
>> >> expires,
>> >> > this behavior with reappear. If you use LDAP URLs instead of HTTP,
>the
>> >> > download is usually many times faster. There are also a few settings
>> >> > available around CRL download behavior and you should find all the
>> >details
>> >> > in the documentation.
>> >> >
>> >> > --
>> >> > Shreeniwas Kelkar,
>> >> > Microsoft Corp.
>> >> >
>> >> > This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> > Use of any included samples is subject to the terms specified at
>> >> > http://www.microsoft.com/info/cpyright.htm";
>> >> > --
>> >> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
>> >> > news:ewS9g4FQCHA.2524@tkmsftngp11...
>> >> > > To solve this problem, I downloaded the Certificate Revocation
List
>> of
>> >> my
>> >> > CA
>> >> > > and imported it in my certificate store.
>> >> > >
>> >> > > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
>> >> > > emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
>> >> > > > I installed a Standalone CA for my 70++-users win2000
>> >> > > > local area network without any hitch. Users use OutlookXP
>> >> > > > as mail client. Mail encyrption and signing works well.
>> >> > > > However when I open security properties of an
>> >> > > > encrypted&signed mail, I see a warning message "The
>> >> > > > Certificate Revocation List needed to verify the signing
>> >> > > > certificate is either unavailable or it has expired."
>> >> > > > Besides, for the signing certificate message it says "This
>> >> > > > certificate is OK!" under the root CA. In the Edit Trust
>> >> > > > part "Inherit trust from the issuer" seems to be chosen.
>> >> > > > Why do I see this warning message? I wonder is there
>> >> > > > anythnig wrong with the CDP points, but it also seems ok,
>> >> > > > clients can query the CRL using HTTP. I think, I
>> >> > > > shouldn't have to select "Explicitly trust this
>> >> > > > certificate" for each certificate. Since I trust my root
>> >> > > > CA, to select "inherit trust from the issuer" is expected
>> >> > > > to work fine.
>> >> > > >
>> >> > > > Are there also any special procedures in publishing the CRL
using
>> an
>> >> > ISA2K
>> >> > > > server?
>> >> > > > The reason I asked this is because I will be issuing email
>> >> certificates
>> >> > to
>> >> > > > users outside our win2k domain.
>> >> > > >
>> >> > > > ANY comments&feedbacks will be greatly appreciated .
>> >> > > >
>> >> > > >
>> >> > >
>> >> > >
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>>
>
>
>

Relevant Pages

  • Re: Session Terminated 360 to MCE
    ... This posting is provided "AS IS" with no warranties, ... Install the Windows XP Service Pack 2 Support Tools ... Event Source: Media Center Extender Services ...
    (microsoft.public.windows.mediacenter)
  • Re: NON-Domain Software Install
    ... Plans for for later this year. ... This posting is provided "AS IS" with no warranties, ... There are plans to support it in ...
    (microsoft.public.sms.swdist)
  • Re: NON-Domain Software Install
    ... Plans for for later this year. ... This posting is provided "AS IS" with no warranties, ... There are plans to support it in ...
    (microsoft.public.sms.swdist)
  • Re: Anybody frequent adh?
    ... I pop in occasionally and it's always good to see you posting and being such ... a good support person. ... You know it's not an opinion I share, I try not to be too opinionated ...
    (alt.support.chronic-pain)
  • Re: >>>> M 4 Stephanie <<<<
    ... TREMENDOUSLY grateful for the care and support of ... he was posting pro-forma, sort of a 'all right, so here I am posting, ... Speaking of trash cans: I tend to throw papers away that I turn out ... I don't act on my feelings. ...
    (alt.support.stop-smoking)