Re: Certificates Trust List

• Previous message: Harald Haitsma: "Re: Virus Protection or Not"
• In reply to: Andrey Kreitor: "Re: Certificates Trust List"
• Next in thread: Andrey Kreitor: "Re: Certificates Trust List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 14 Nov 2004 06:52:57 -0800

David,

just to answer your question more exactly:
Root CA cert I trust doesn't have a CDP extension in it.

Andrey

kreit@mail.ru (Andrey Kreitor) wrote in message news:<670d9223.0411112115.7896b0fd@posting.google.com>...
> OK, little weird since it's common practice for offline root to not
> have crls....
>
> David, are there any workarounds? to renew root certificate with a
> valid crl?
>
> Its even more strange - this work ok with XP, 2003, 2000 sp3. It
> doesn't work with 2000 since sp4. I even can check web sites
> certificates accessed from stations under win2k sp4.
>
> This may doesn't work with Outlook only. Even if i disable crl
> checking in outlook through "UseCRLChasing" I still get these
> warnings...
>
> Andrey
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message news:<e9o5ba$xEHA.2568@TK2MSFTNGP11.phx.gbl>...
> > does the root CA cert have a CDP extension in it?
> >
> > this error implies that a cert in the chain specifies a CRL in a CDP
> > location that cannot be retrieved.
> >
> > --
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > http://support.microsoft.com
> >
> > "Andrey Kreitor" <kreit@mail.ru> wrote in message
> > news:670d9223.0411110446.4a33ce0d@posting.google.com...
> > > David,
> > > I managed to run capimon - sdbinst.exe was missing on my machine...
> > > I get this error according to Capimon:
> > >
> > > ----
> > > Return Value: Failure (0)
> > > Last Error: The revocation function was unable to check revocation for
> > > the certificate. (0x80092012)
> > >
> > > CertDllVerifyRevocation Parameters:
> > > Encoding Type: 0x00000001
> > > X509_ASN_ENCODING (0x00000001)
> > >
> > > Revocation Type: 0x00000001
> > > CERT_CONTEXT_REVOCATION_TYPE (0x00000001)
> > >
> > > Flags: 0x00000002
> > > CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION (0x00000002)
> > >
> > > -----
> > >
> > > It seems it checks for crl for the offline root ca I trust.... but it
> > > doesn't have crls at all... What can i do?
> > >
> > > Andrey.
> > >
> > >
> > >
> > >
> > > kreit@mail.ru (Andrey Kreitor) wrote in message
> > > news:<670d9223.0411102307.3bacdedb@posting.google.com>...
> > >> The exact path is "c:\Program Files\Microsoft Office\Office\outlook.exe"
> > >> I just played with paths like this "c:\outlook.exe" to make it(path)
> > >> simpler :)
> > >>
> > >> What id did:
> > >> 1. installed
> > >> 2. tried to run this command:
> > >> Capimon.exe -setup -appname: Application_Path
> > >>
> > >>
> > >> Andrey.
> > >>
> > >>
> > >>
> > >> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > >> news:<#V0AEfyxEHA.3336@TK2MSFTNGP11.phx.gbl>...
> > >> > are you sure that is the right path to outlook.exe ?
> > >> >
> > >> > for example on my machine it is: "c:\program files\Microsoft
> > >> > Office\Office
> > >> > 11\outlook.exe"
> > >> >
> > >> > --
> > >> >
> > >> >
> > >> > David B. Cross [MS]
> > >> >
> > >> > --
> > >> > This posting is provided "AS IS" with no warranties, and confers no
> > >> > rights.
> > >> >
> > >> > http://support.microsoft.com
> > >> >
> > >> > "Andrey Kreitor" <kreit@mail.ru> wrote in message
> > >> > news:670d9223.0411100150.793e6429@posting.google.com...
> > >> > > tried this with\without quotation marks:
> > >> > > c:\Program Files\Microsoft CAPIMON 1.0>Capimon.exe -setup
> > >> > > -appname:"c:\Program Files\Microsoft Office\Office\outlook.exe"
> > >> > > or
> > >> > > c:\Program Files\Microsoft CAPIMON 1.0>Capimon.exe -setup
> > >> > > -appname:c:\outlook.exe
> > >> > >
> > >> > > all i get:
> > >> > > "Error: The system cannot find the file specified."
> > >> > >
> > >> > >
> > >> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > >> > > news:<OY7$SrAxEHA.2568@TK2MSFTNGP10.phx.gbl>...
> > >> > >> Hard to tell what the problem might be, but you might be able to use
> > >> > >> CAPIMON
> > >> > >> with your application to troubleshoot.
> > >> > >>
> > >> > >>
> > >> > >>
> > >> > >> CAPIMON:
> > >> > >> http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > >> > >>
> > >> > >>
> > >> > >>
> > >> > >> --
> > >> > >>
> > >> > >>
> > >> > >> David B. Cross [MS]
> > >> > >>
> > >> > >> --
> > >> > >> This posting is provided "AS IS" with no warranties, and confers no
> > >> > >> rights.
> > >> > >>
> > >> > >> http://support.microsoft.com
> > >> > >>
> > >> > >> "Andrey Kreitor" <kreit@mail.ru> wrote in message
> > >> > >> news:670d9223.0411050650.725a9706@posting.google.com...
> > >> > >> > All domain controllers under win2k. Schema upgraded to 2003.
> > >> > >> > Enterprise CA under windows 2003 and offline root ca under
> > >> > >> > win2003.
> > >> > >> >
> > >> > >> > Here it is the problem with ctl to another organization root cert.
> > >> > >> > Certificate chain check shows "Generic trust failure."... when
> > >> > >> > using
> > >> > >> > Outlook.
> > >> > >> >
> > >> > >> > Of course i checked that i can see the ctl in users personal
> > >> > >> > certificate store.
> > >> > >> > This problem occurs only with clients under win2k. I have no
> > >> > >> > problems
> > >> > >> > under server 2003 or XP clients.
> > >> > >> >
> > >> > >> > What may cause this?
> > >> > >> > Thanks in advance!
> > >> > >> >
> > >> > >> > p.s. Certificate template v2(Microsoft Trust List Signing
> > >> > >> > Application
> > >> > >> > policy) signed the ctl

• Previous message: Harald Haitsma: "Re: Virus Protection or Not"
• In reply to: Andrey Kreitor: "Re: Certificates Trust List"
• Next in thread: Andrey Kreitor: "Re: Certificates Trust List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]