Re: Stand Alone CA Problem

From: Jennifer Lesher [MSFT] (jennle@online.microsoft.com)
Date: 01/21/03


From: jennle@online.microsoft.com ("Jennifer Lesher [MSFT]")
Date: Tue, 21 Jan 2003 06:36:04 GMT


Hello Scott,

I apologize for the delay in providing this link, but I had to do some
research to verify that it was the appropriate channel.

Please go to
http://support.microsoft.com/default.aspx?scid=fh;en-us;feedback,
Click on Send Feedback.

This is what everything on MS.com points to for reporting bugs.
 
Please let me know if this solves your problem or if you would like further
assistance.

I look forward to hearing from you.

Sincerely,

Jennifer Lesher
MCSE/MCDBA
Microsoft Online Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! - www.microsoft.com/security

| I searched high and low, but everything I saw was for paid support. Since
| this issue is repeatable, duplicatable and not working as feature
| designed...please forward me a link to submit a bug to the group at
| Microsoft responsible for the digital signature area instead. At minimum
I
| will expect a Knowledge Base article claiming that the feature does not
| work...
|
| "Jeff Qiu" <jefffqiu@online.microsoft.com> wrote in message
| news:qIq6voVtCHA.3284@cpmsftngxa06...
| > HI Scott,
| >
| > Due to the complexity of this issue, we are unable to assist with this
| > request in the newsgroups as the Partner Support newsgroups are geared
| > towards break-fix scenarios.
| >
| > For further assistance on this issue, please contact Microsoft Product
| > Support Services by telephone so that a dedicated Support Professional
can
| > assist you further with your request.
| >
| > To obtain the phone numbers for specific technology request please take
a
| > look at the web site listed below.
| >
| >
|
http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dsz%3
| > ben-us%3btop
| >
| > Regards,
| >
| > Jeff Qiu
| > jefffqiu@online.microsoft.com
| > Online Support Professional
| > Microsoft Corporation
| >
| > This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
| > rights.
| >
| > --------------------
| > >From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
| > >References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
| > <#PDdty9rCHA.1872@cpmsftngxa06> <OXxBz7CsCHA.2448@TK2MSFTNGP09>
| > <Yzj$vSKsCHA.2580@cpmsftngxa09>
| > >Subject: Re: Stand Alone CA Problem
| > >Date: Thu, 2 Jan 2003 12:42:38 -0800
| > >microsoft.public.win2000.security
| > >
| > >Using:
| > >Microsoft Windows 2000 Server 5.00.2195 Service Pack 3
| > >Microsoft Outlook 2002 (10.4608.42190) SP-2
| > >Microsoft Internet Explorer 6 Version 6.0.2880.1106 Update Versions:
| ;SP1;
| > >Q328970; Q324929;
| > >
| > >with all known patches and updates applied to date...
| > >
| > >
| > >"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
| > >news:Yzj$vSKsCHA.2580@cpmsftngxa09...
| > >> Hi Scott,
| > >>
| > >> Please let me know if you are using Internet Explorer 5. If so, I
| suggest
| > >> you download the Internet Explorer 5.5 SP2. Please visit this web
site:
| > >> http://wwww.microsoft.com/windows/ie
| > >>
| > >> Tyler Li
| > >>
| > >> tylerli@online.microsoft.com
| > >> Online Support Professional
| > >> Microsoft Corporation
| > >>
| > >> This posting is provided "AS IS" with no warranties, and confers no
| > >rights.
| > >> --------------------
| > >> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
| > >> References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
| > ><#PDdty9rCHA.1872@cpmsftngxa06>
| > >> Subject: Re: Stand Alone CA Problem
| > >> Date: Mon, 30 Dec 2002 10:14:19 -0800
| > >> Lines: 210
| > >> X-Priority: 3
| > >> X-MSMail-Priority: Normal
| > >> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| > >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| > >> Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
| > >> Newsgroups: microsoft.public.win2000.security
| > >> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
| > >> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
| > >> Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
| > >> X-Tomcat-NG: microsoft.public.win2000.security
| > >>
| > >> Sorry, but I DO want the certificate to be checked against a CRL.
This
| > >> command you referenced is undesireable
| > >>
| > >> The CRL is available in my Certificate Revocation List in the
| > >"Certificates"
| > >> Microsoft Management Console snap-in. The list is not corruped. So
| > >without
| > >> disabling checking, how does one get the certificate revocation list
| > >> operational within Microsoft mail clients...Outlook 2000, Outlook
2002
| > and
| > >> Outlook Express with all the latest updates and patches?
| > >>
| > >> If you don't understand what I mean I will be happy to send you an
| email
| > >> with my digital signature. Send me an email requesting it, then view
| the
| > >> certificate you see in you browser...with the security checking
| features
| > >> on...without trusting the intermediary certificate explicitly...and
| > having
| > >> the root CA of the certificate a trusted CA...I have opened up a
| support
| > >> ticket with Thawte and verified with them as well as my colleagues
that
| > >the
| > >> problem is repeatable.
| > >>
| > >> My certificate is attached as
| > >"scott.schreckengaust@aspentech.com.cer".
| > >> The root CA for my certificate can be downloaded at
| > >> <http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL
for
| > the
| > >> signing certificate can be downloaded at
| > >> <https://www.thawte.com/cgi/lifecylcle/roots.exe>
| > >>
| > >> The exact warning message is between the carrets ("^")
| > >>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| > >> Warning:
| > >> The Certificate Revocation List needed to verify the signing
| certificate
| > >is
| > >> either unavailable or it has expired.
| > >> Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at
8:37:43
| > >> 11/20/2002.
| > >>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| > >>
| > >> Additionally, the Microsoft support website at
| > >http://support.microsoft.com/
| > >> only has information on how to disable the warning by not checking
the
| > CRL
| > >> from keyword searches using the above warning messages.
| > >>
| > >> Anybody know how to remedy the situation?
| > >>
| > >> Thank you,
| > >>
| > >> Scott Schreckengaust
| > >>
| > >>
| > >>
| > >> "Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
| > >> news:#PDdty9rCHA.1872@cpmsftngxa06...
| > >> > Hi,
| > >> > This error occurs because the certificate is being checked against
a
| > CRL
| > >> > (certificate revocation list). That CRL cannot be found is
corrupted,
| > or
| > >> > unavailable. The certificate itself may be valid, but since it is
| > unable
| > >> to
| > >> > get a verified response from the CRL, the certificate appears to be
| > >> invalid.
| > >> > The command listed below tells the machine not to check against the
| > CRL,
| > >> > thus avoiding the warning message altogether.
| > >> > http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
| > >> >
| > >> >
| > >> > Tyler Li
| > >> >
| > >> > tylerli@online.microsoft.com
| > >> > Online Support Professional
| > >> > Microsoft Corporation
| > >> >
| > >> > This posting is provided "AS IS" with no warranties, and confers no
| > >> rights.
| > >> > --------------------
| > >> > From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
| > >> > Subject: Re: Stand Alone CA Problem
| > >> > Date: Fri, 27 Dec 2002 14:34:50 -0800
| > >> > Lines: 93
| > >> > X-Priority: 3
| > >> > X-MSMail-Priority: Normal
| > >> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| > >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| > >> > Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
| > >> > Newsgroups: microsoft.public.win2000.security
| > >> > NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
| > >> > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
| > >> > Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
| > >> > X-Tomcat-NG: microsoft.public.win2000.security
| > >> >
| > >> > This temporary fix for me does not even work. Where is the
| > >documentation
| > >> > referenced below?
| > >> >
| > >> > I downloaded the CRL at
| https://www.thawte.com/cgi/lifecycle/roots.exe
| > >> that
| > >> > includes the "Personal Freemail RSA 2000.8.30" revocation list and
| > >> installed
| > >> > it into my certificate store, but still shows up with the same
| > "Warning:
| > >> The
| > >> > Certificate Revocation List needed to verify the signing
certificate
| is
| > >> > either unavailable or it has expired."
| > >> >
| > >> > The signing certificate of the certificate with the warning is
| > "Personal
| > >> > Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA"
| (which
| > >is
| > >> in
| > >> > my "Trusted Root Certificate Authorities"). I agree that one
should
| > not
| > >> > have change the "Inherit Trust from Issuer" to "Explicitly Trust
this
| > >> > Certificate" if the root in the chain is a trusted CA...
| > >> >
| > >> > I have signed this message with my certificate for you to look
at...
| > >> >
| > >> > -----Original Message-----
| > >> >
| > >> >
| > >>
| > >>
| >
--------------------------------------------------------------------------
| > >> --
| > >> > ----
| > >> >
| > >> > a.. Subject: Re: Stand Alone CA Problem
| > >> > b.. From: "Shreeniwas Kelkar [MS]"
<srkelkar@online.microsoft.com>
| > >> > c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
| > >> > d.. Bcc:
| > >> > e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
| > >> > <ewS9g4FQCHA.2524@tkmsftngp11>
| > >> > f.. Newsgroups: microsoft.public.win2000.security
| > >> > g.. Xref: news.uni-stuttgart.de
| > microsoft.public.win2000.security:8819
| > >> >
| > >>
| > >>
| >
--------------------------------------------------------------------------
| > >> --
| > >> > ----
| > >> >
| > >> > This is almost always caused by network latency. OutlookXP cannot
| > >download
| > >> > the CRL from the CDP fast enough and times out.
| > >> >
| > >> > Unless the CRL is valid for a very long time (which is normally a
bad
| > >> > security decision), your fix below is temporary. As soon as the CRL
| > >> expires,
| > >> > this behavior with reappear. If you use LDAP URLs instead of HTTP,
| the
| > >> > download is usually many times faster. There are also a few
settings
| > >> > available around CRL download behavior and you should find all the
| > >details
| > >> > in the documentation.
| > >> >
| > >> > --
| > >> > Shreeniwas Kelkar,
| > >> > Microsoft Corp.
| > >> >
| > >> > This posting is provided "AS IS" with no warranties, and confers no
| > >> rights.
| > >> > Use of any included samples is subject to the terms specified at
| > >> > http://www.microsoft.com/info/cpyright.htm";
| > >> > --
| > >> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
| > >> > news:ewS9g4FQCHA.2524@tkmsftngp11...
| > >> > > To solve this problem, I downloaded the Certificate Revocation
List
| > of
| > >> my
| > >> > CA
| > >> > > and imported it in my certificate store.
| > >> > >
| > >> > > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
| > >> > >
emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
| > >> > > > I installed a Standalone CA for my 70++-users win2000
| > >> > > > local area network without any hitch. Users use OutlookXP
| > >> > > > as mail client. Mail encyrption and signing works well.
| > >> > > > However when I open security properties of an
| > >> > > > encrypted&signed mail, I see a warning message "The
| > >> > > > Certificate Revocation List needed to verify the signing
| > >> > > > certificate is either unavailable or it has expired."
| > >> > > > Besides, for the signing certificate message it says "This
| > >> > > > certificate is OK!" under the root CA. In the Edit Trust
| > >> > > > part "Inherit trust from the issuer" seems to be chosen.
| > >> > > > Why do I see this warning message? I wonder is there
| > >> > > > anythnig wrong with the CDP points, but it also seems ok,
| > >> > > > clients can query the CRL using HTTP. I think, I
| > >> > > > shouldn't have to select "Explicitly trust this
| > >> > > > certificate" for each certificate. Since I trust my root
| > >> > > > CA, to select "inherit trust from the issuer" is expected
| > >> > > > to work fine.
| > >> > > >
| > >> > > > Are there also any special procedures in publishing the CRL
using
| > an
| > >> > ISA2K
| > >> > > > server?
| > >> > > > The reason I asked this is because I will be issuing email
| > >> certificates
| > >> > to
| > >> > > > users outside our win2k domain.
| > >> > > >
| > >> > > > ANY comments&feedbacks will be greatly appreciated .
| > >> > > >
| > >> > > >
| > >> > >
| > >> > >
| > >> >
| > >> >
| > >> >
| > >> >
| > >>
| > >>
| > >>
| > >>
| > >
| > >
| > >
| >
|
|
|



Relevant Pages

  • RE: netsh error - 1312
    ... \par Running the example from the article I was able to create the certificate ... \par Scott Norberg ... \par> Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: SSL Certficate in IIS
    ... A support engineer will be assigned. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... I can install the new test certificate ...
    (microsoft.public.windows.server.sbs)
  • RE: Verifying X509Certificate signature
    ... As you said that you want some information about verifying X509 certificate ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Verifying X509Certificate signature
    ... As you said that you want some information about verifying X509 certificate ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Test Certificates?
    ... you have two options to get a certificate. ... For example you can buy Code Signing Certificate for Microsoft Authenticode ... Microsoft Online Community Support ... You can send feedback directly to my manager at: ...
    (microsoft.public.vsnet.general)