Ho configurato una nuova CA utilizzando TinyCA. Durante la creazione della CA ho utilizzato un nome host interno per l'url crl esattamente come segue: link
E ho esportato il CRL in quella posizione e ho confermato che è visibile sulla rete.
Ora, quando emetto i certificati (in questo caso per lo scambio), accetta il certificato, ma indica il fallimento del controllo di revoca. Utilizzando il certuil suggerisce che le informazioni CRL mancano dal certificato foglia. (Vedere l'output di certutil di un certificato foglia qui sotto). Allo stesso modo, certutil afferma che il certificato della mia CA non ha URL CRL.
Perché i miei certificati CA e Fogli mancano di URL CRL? Quando visualizzo i dettagli della CA in Tiny CA, mostra Netscape CA revoca UR L come link come originariamente inserito.
Issuer:
CN=My Company
C=CA
Name Hash(sha1): b6b02cfd24a47572f68a85a398322f978989d9ef
Name Hash(md5): 5333e962243f00751ee6fcf5b62973b9
Subject:
C=CA
S=State
L=City
O=mydomain
OU=IT4
CN=newmail.mydomain.com
Name Hash(sha1): 1a7840c8a10059e8e2b87e32f32426dd6ad3d60a
Name Hash(md5): 1b0581a411b0c14d057203950e3aca98
Cert Serial Number: 04
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40
Issuer: CN=My Company, C=CA
NotBefore: 2/29/2016 9:45 PM
NotAfter: 2/26/2026 9:45 PM
Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
Serial: 04
SubjectAltName: No alternative name
06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
Issuer: CN=My Company, C=CA
NotBefore: 2/29/2016 8:17 PM
NotAfter: 2/26/2026 8:17 PM
Subject: CN=My Company, C=CA
Serial: 86278a3832426d41
SubjectAltName: No alternative name
353c6f365f9d7b2e623b7c228e937adac5ee3a2b
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
Full chain:
b8408cac425b1604c28a619181394d7f057607e0
Issuer: CN=My Company, C=CA
NotBefore: 2/29/2016 9:45 PM
NotAfter: 2/26/2026 9:45 PM
Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
Serial: 04
SubjectAltName: No alternative name
06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
The revocation function was unable to check revocation for the certificate. 0x80
092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.