Re: Stand Alone CA Problem

From: Scott Schreckengaust (scott.schreckengaust@aspentech.com)
Date: 01/21/03 

From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
Date: Tue, 21 Jan 2003 09:48:41 -0800

Thank you for your posting. I just finished submitting this issue for a
third time. I only have received automated emails stating...Microsoft can't
look at all the emails individually...I have only received feedback,
although no resolution, through this newsgroup forum.

Scott

""Jennifer Lesher [MSFT]"" <jennle@online.microsoft.com> wrote in message
news:Get8XdRwCHA.2072@cpmsftngxa06...
> Hello Scott,
>
> I apologize for the delay in providing this link, but I had to do some
> research to verify that it was the appropriate channel.
>
> Please go to
> http://support.microsoft.com/default.aspx?scid=fh;en-us;feedback,
> Click on Send Feedback.
>
> This is what everything on MS.com points to for reporting bugs.
>
> Please let me know if this solves your problem or if you would like
further
> assistance.
>
> I look forward to hearing from you.
>
> Sincerely,
>
> Jennifer Lesher
> MCSE/MCDBA
> Microsoft Online Support
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> Get Secure! - www.microsoft.com/security
>
>
> | I searched high and low, but everything I saw was for paid support.
Since
> | this issue is repeatable, duplicatable and not working as feature
> | designed...please forward me a link to submit a bug to the group at
> | Microsoft responsible for the digital signature area instead. At
minimum
> I
> | will expect a Knowledge Base article claiming that the feature does not
> | work...
> |
> | "Jeff Qiu" <jefffqiu@online.microsoft.com> wrote in message
> | news:qIq6voVtCHA.3284@cpmsftngxa06...
> | > HI Scott,
> | >
> | > Due to the complexity of this issue, we are unable to assist with this
> | > request in the newsgroups as the Partner Support newsgroups are geared
> | > towards break-fix scenarios.
> | >
> | > For further assistance on this issue, please contact Microsoft Product
> | > Support Services by telephone so that a dedicated Support Professional
> can
> | > assist you further with your request.
> | >
> | > To obtain the phone numbers for specific technology request please
take
> a
> | > look at the web site listed below.
> | >
> | >
> |
>
http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dsz%3
> | > ben-us%3btop
> | >
> | > Regards,
> | >
> | > Jeff Qiu
> | > jefffqiu@online.microsoft.com
> | > Online Support Professional
> | > Microsoft Corporation
> | >
> | > This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > >From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> | > >References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> | > <#PDdty9rCHA.1872@cpmsftngxa06> <OXxBz7CsCHA.2448@TK2MSFTNGP09>
> | > <Yzj$vSKsCHA.2580@cpmsftngxa09>
> | > >Subject: Re: Stand Alone CA Problem
> | > >Date: Thu, 2 Jan 2003 12:42:38 -0800
> | > >microsoft.public.win2000.security
> | > >
> | > >Using:
> | > >Microsoft Windows 2000 Server 5.00.2195 Service Pack 3
> | > >Microsoft Outlook 2002 (10.4608.42190) SP-2
> | > >Microsoft Internet Explorer 6 Version 6.0.2880.1106 Update Versions:
> | ;SP1;
> | > >Q328970; Q324929;
> | > >
> | > >with all known patches and updates applied to date...
> | > >
> | > >
> | > >"Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
> | > >news:Yzj$vSKsCHA.2580@cpmsftngxa09...
> | > >> Hi Scott,
> | > >>
> | > >> Please let me know if you are using Internet Explorer 5. If so, I
> | suggest
> | > >> you download the Internet Explorer 5.5 SP2. Please visit this web
> site:
> | > >> http://wwww.microsoft.com/windows/ie
> | > >>
> | > >> Tyler Li
> | > >>
> | > >> tylerli@online.microsoft.com
> | > >> Online Support Professional
> | > >> Microsoft Corporation
> | > >>
> | > >> This posting is provided "AS IS" with no warranties, and confers no
> | > >rights.
> | > >> --------------------
> | > >> From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> | > >> References: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> | > ><#PDdty9rCHA.1872@cpmsftngxa06>
> | > >> Subject: Re: Stand Alone CA Problem
> | > >> Date: Mon, 30 Dec 2002 10:14:19 -0800
> | > >> Lines: 210
> | > >> X-Priority: 3
> | > >> X-MSMail-Priority: Normal
> | > >> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> | > >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> | > >> Message-ID: <OXxBz7CsCHA.2448@TK2MSFTNGP09>
> | > >> Newsgroups: microsoft.public.win2000.security
> | > >> NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> | > >> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
> | > >> Xref: cpmsftngxa09 microsoft.public.win2000.security:1781
> | > >> X-Tomcat-NG: microsoft.public.win2000.security
> | > >>
> | > >> Sorry, but I DO want the certificate to be checked against a CRL.
> This
> | > >> command you referenced is undesireable
> | > >>
> | > >> The CRL is available in my Certificate Revocation List in the
> | > >"Certificates"
> | > >> Microsoft Management Console snap-in. The list is not corruped.
So
> | > >without
> | > >> disabling checking, how does one get the certificate revocation
list
> | > >> operational within Microsoft mail clients...Outlook 2000, Outlook
> 2002
> | > and
> | > >> Outlook Express with all the latest updates and patches?
> | > >>
> | > >> If you don't understand what I mean I will be happy to send you an
> | email
> | > >> with my digital signature. Send me an email requesting it, then
view
> | the
> | > >> certificate you see in you browser...with the security checking
> | features
> | > >> on...without trusting the intermediary certificate explicitly...and
> | > having
> | > >> the root CA of the certificate a trusted CA...I have opened up a
> | support
> | > >> ticket with Thawte and verified with them as well as my colleagues
> that
> | > >the
> | > >> problem is repeatable.
> | > >>
> | > >> My certificate is attached as
> | > >"scott.schreckengaust@aspentech.com.cer".
> | > >> The root CA for my certificate can be downloaded at
> | > >> <http://www.thawte.com/html/SUPPORT/keygen/persfree.crt>. The CRL
> for
> | > the
> | > >> signing certificate can be downloaded at
> | > >> <https://www.thawte.com/cgi/lifecylcle/roots.exe>
> | > >>
> | > >> The exact warning message is between the carrets ("^")
> | > >>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> | > >> Warning:
> | > >> The Certificate Revocation List needed to verify the signing
> | certificate
> | > >is
> | > >> either unavailable or it has expired.
> | > >> Signed by scott.schreckengaust@aspentech.com using RSA/SHA1 at
> 8:37:43
> | > >> 11/20/2002.
> | > >>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> | > >>
> | > >> Additionally, the Microsoft support website at
> | > >http://support.microsoft.com/
> | > >> only has information on how to disable the warning by not checking
> the
> | > CRL
> | > >> from keyword searches using the above warning messages.
> | > >>
> | > >> Anybody know how to remedy the situation?
> | > >>
> | > >> Thank you,
> | > >>
> | > >> Scott Schreckengaust
> | > >>
> | > >>
> | > >>
> | > >> "Tyler Li [MS]" <tylerli@online.microsoft.com> wrote in message
> | > >> news:#PDdty9rCHA.1872@cpmsftngxa06...
> | > >> > Hi,
> | > >> > This error occurs because the certificate is being checked
against
> a
> | > CRL
> | > >> > (certificate revocation list). That CRL cannot be found is
> corrupted,
> | > or
> | > >> > unavailable. The certificate itself may be valid, but since it is
> | > unable
> | > >> to
> | > >> > get a verified response from the CRL, the certificate appears to
be
> | > >> invalid.
> | > >> > The command listed below tells the machine not to check against
the
> | > CRL,
> | > >> > thus avoiding the warning message altogether.
> | > >> > http://support.microsoft.com/default.aspx?scid=KB;en-us;q249780
> | > >> >
> | > >> >
> | > >> > Tyler Li
> | > >> >
> | > >> > tylerli@online.microsoft.com
> | > >> > Online Support Professional
> | > >> > Microsoft Corporation
> | > >> >
> | > >> > This posting is provided "AS IS" with no warranties, and confers
no
> | > >> rights.
> | > >> > --------------------
> | > >> > From: "Scott Schreckengaust" <scott.schreckengaust@aspentech.com>
> | > >> > Subject: Re: Stand Alone CA Problem
> | > >> > Date: Fri, 27 Dec 2002 14:34:50 -0800
> | > >> > Lines: 93
> | > >> > X-Priority: 3
> | > >> > X-MSMail-Priority: Normal
> | > >> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> | > >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> | > >> > Message-ID: <OlR4TffrCHA.2488@TK2MSFTNGP12>
> | > >> > Newsgroups: microsoft.public.win2000.security
> | > >> > NNTP-Posting-Host: nat192186-114.aspentech.com 192.160.186.114
> | > >> > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP12
> | > >> > Xref: cpmsftngxa06 microsoft.public.win2000.security:1687
> | > >> > X-Tomcat-NG: microsoft.public.win2000.security
> | > >> >
> | > >> > This temporary fix for me does not even work. Where is the
> | > >documentation
> | > >> > referenced below?
> | > >> >
> | > >> > I downloaded the CRL at
> | https://www.thawte.com/cgi/lifecycle/roots.exe
> | > >> that
> | > >> > includes the "Personal Freemail RSA 2000.8.30" revocation list
and
> | > >> installed
> | > >> > it into my certificate store, but still shows up with the same
> | > "Warning:
> | > >> The
> | > >> > Certificate Revocation List needed to verify the signing
> certificate
> | is
> | > >> > either unavailable or it has expired."
> | > >> >
> | > >> > The signing certificate of the certificate with the warning is
> | > "Personal
> | > >> > Freemail RSA 2000.8.30" signed by "Thawte Personal Freemail CA"
> | (which
> | > >is
> | > >> in
> | > >> > my "Trusted Root Certificate Authorities"). I agree that one
> should
> | > not
> | > >> > have change the "Inherit Trust from Issuer" to "Explicitly Trust
> this
> | > >> > Certificate" if the root in the chain is a trusted CA...
> | > >> >
> | > >> > I have signed this message with my certificate for you to look
> at...
> | > >> >
> | > >> > -----Original Message-----
> | > >> >
> | > >> >
> | > >>
> | > >>
> | >
> --------------------------------------------------------------------------
> | > >> --
> | > >> > ----
> | > >> >
> | > >> > a.. Subject: Re: Stand Alone CA Problem
> | > >> > b.. From: "Shreeniwas Kelkar [MS]"
> <srkelkar@online.microsoft.com>
> | > >> > c.. Date: Mon, 12 Aug 2002 08:40:51 -0700
> | > >> > d.. Bcc:
> | > >> > e.. In-reply-to: <emAQnoOPCHA.2416@tkmsftngp09>
> | > >> > <ewS9g4FQCHA.2524@tkmsftngp11>
> | > >> > f.. Newsgroups: microsoft.public.win2000.security
> | > >> > g.. Xref: news.uni-stuttgart.de
> | > microsoft.public.win2000.security:8819
> | > >> >
> | > >>
> | > >>
> | >
> --------------------------------------------------------------------------
> | > >> --
> | > >> > ----
> | > >> >
> | > >> > This is almost always caused by network latency. OutlookXP cannot
> | > >download
> | > >> > the CRL from the CDP fast enough and times out.
> | > >> >
> | > >> > Unless the CRL is valid for a very long time (which is normally a
> bad
> | > >> > security decision), your fix below is temporary. As soon as the
CRL
> | > >> expires,
> | > >> > this behavior with reappear. If you use LDAP URLs instead of
HTTP,
> | the
> | > >> > download is usually many times faster. There are also a few
> settings
> | > >> > available around CRL download behavior and you should find all
the
> | > >details
> | > >> > in the documentation.
> | > >> >
> | > >> > --
> | > >> > Shreeniwas Kelkar,
> | > >> > Microsoft Corp.
> | > >> >
> | > >> > This posting is provided "AS IS" with no warranties, and confers
no
> | > >> rights.
> | > >> > Use of any included samples is subject to the terms specified at
> | > >> > http://www.microsoft.com/info/cpyright.htm";
> | > >> > --
> | > >> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> | > >> > news:ewS9g4FQCHA.2524@tkmsftngp11...
> | > >> > > To solve this problem, I downloaded the Certificate Revocation
> List
> | > of
> | > >> my
> | > >> > CA
> | > >> > > and imported it in my certificate store.
> | > >> > >
> | > >> > > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> | > >> > >
> emAQnoOPCHA.2416@tkmsftngp09">news:emAQnoOPCHA.2416@tkmsftngp09...
> | > >> > > > I installed a Standalone CA for my 70++-users win2000
> | > >> > > > local area network without any hitch. Users use OutlookXP
> | > >> > > > as mail client. Mail encyrption and signing works well.
> | > >> > > > However when I open security properties of an
> | > >> > > > encrypted&signed mail, I see a warning message "The
> | > >> > > > Certificate Revocation List needed to verify the signing
> | > >> > > > certificate is either unavailable or it has expired."
> | > >> > > > Besides, for the signing certificate message it says "This
> | > >> > > > certificate is OK!" under the root CA. In the Edit Trust
> | > >> > > > part "Inherit trust from the issuer" seems to be chosen.
> | > >> > > > Why do I see this warning message? I wonder is there
> | > >> > > > anythnig wrong with the CDP points, but it also seems ok,
> | > >> > > > clients can query the CRL using HTTP. I think, I
> | > >> > > > shouldn't have to select "Explicitly trust this
> | > >> > > > certificate" for each certificate. Since I trust my root
> | > >> > > > CA, to select "inherit trust from the issuer" is expected
> | > >> > > > to work fine.
> | > >> > > >
> | > >> > > > Are there also any special procedures in publishing the CRL
> using
> | > an
> | > >> > ISA2K
> | > >> > > > server?
> | > >> > > > The reason I asked this is because I will be issuing email
> | > >> certificates
> | > >> > to
> | > >> > > > users outside our win2k domain.
> | > >> > > >
> | > >> > > > ANY comments&feedbacks will be greatly appreciated .
> | > >> > > >
> | > >> > > >
> | > >> > >
> | > >> > >
> | > >> >
> | > >> >
> | > >> >
> | > >> >
> | > >>
> | > >>
> | > >>
> | > >>
> | > >
> | > >
> | > >
> | >
> |
> |
> |
>

Relevant Pages

  • RE: mail relay problems setting up
    ... > sure that the emails are being sent out. ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ... > check http://support.microsoft.com for regional support phone numbers. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outbound email tracking?
    ... there definitely are not 900 emails a day going in and out. ... MSFT support website, I was almost certainly experiencing a RNDR attack. ... > that the newsgroups are staffed weekdays by Microsoft Support ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: mail relay problems setting up
    ... sure that the emails are being sent out. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: Problems delivering emails SMTP -> smarthost
    ... While we can't official support NON-English products here, perhaps a community member or a MVP can ... In addition, you may also want to use your local support options, such as newsgroup and CSS (Customer ... Microsoft CSS Online Newsgroup Support ... The external eMails are getting fetched by the POP3-Connector. ...
    (microsoft.public.windows.server.sbs)
  • *How MSFT *Deliberately, Arrogantly, Egregiously, and Totally* Fails to Support their Products*
    ... this support into the ground. ... Microsoft, particularly developers, as well as those who don't will become ... who adapted MSDE 2000 to Buggy BCM Version 1--aprimitive Beta in a package. ... Support you have ceded to incompetent Convergys. ...
    (microsoft.public.windowsxp.help_and_support)
Quantcast