Re: IIS 6 behavior on checking clients' certificates (again)

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/16/05

Next message: Ondrej Sevecek: "two CA certificates for IPSec or something..."
Previous message: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
Maybe in reply to: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
Next in thread: Bernard Cheah [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 16 Sep 2005 14:05:38 -0500

In article <33F866DC-E24D-47B1-862C-540EBB7D5763@microsoft.com>,
Vsevolod@discussions.microsoft.com says...
> Hello, Brian !
>
> "Brian Komar [MVP]" wrote:
> >
> > What you will need to do is ensure that all certificates (other than the
> > root CA) have the AIA and CDP extensions in the issued certificates.
> >
> As I wrote before I had made simple test. I installed two Microsoft CA
> Server ( Root & Suburdinate ) with default settings. Then I issued WEB sever
> certificate by Root CA and client certificate by Subordinate CA. When I try
> open page on IIS 6 I receive the error:
> 403.16. <ALL> issed certificates have AIA and CDP extensions. All resources
> where AIA and CDP extensions point are available.
>
> IMHO I think you can make the same test with the same result.
>
>
> Thanks for your attention to my person.
> BR,
> Vsevolod.
>
>
Run two tests for me:

At the client, run certutil -verify -urlfetch <certfile>
against the Web server certificate as the certfile.

Do the same test at the Web server against the client certificate as the
certfile.

Post the output. You may have to load the 2k3 Adminpak at both the IIS
6.0 server and at the XP client to run the command. My bet is that,
because you used the default configuration, there are issues with the
AIA and CDP extensions.

Brian

Next message: Ondrej Sevecek: "two CA certificates for IPSec or something..."
Previous message: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
Maybe in reply to: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
Next in thread: Bernard Cheah [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Questions about new PKI infrastructure
... Root CA: ... Certificate key length: 4.096 bits ... CRL and AIA publication order: ...
(microsoft.public.windows.server.general)
Re: Change validatiy period of a Root certificate
... should not have either an AIA or a CDP URL in it" But when I go to install ... my subordinate stand alone CA it asks me for a Root CA to get it's cert from. ... I picks up my newly created standalone Root CA. ... certificate, copying the certificate to removable media and then installing ...
(microsoft.public.security)
Re: PkiView.msc - where does it get its info?
... I mistyped the AIA & CDP extensions. ... Do I need to somehow republish or reissue the certificate and/or CRL now ... If I remember correctly, the PKIView information is ...
(microsoft.public.security)
Re: Offline Root Certificate Server and subordinate CA
... > The requirement for empty AIA and CRL distribution points for a root CA ... For the AIA, the AIA ... > point in an issued certificate is used to locate the certificate of the ...
(microsoft.public.win2000.security)
Re: Offline Root Certificate Server and subordinate CA
... The requirement for empty AIA and CRL distribution points for a root CA ... point in an issued certificate is used to locate the certificate of the ...
(microsoft.public.win2000.security)