Certificate

TinyCA 生成的證書被 Exchange 2013 拒絕

  • November 13, 2019

我使用 TinyCA2 創建了一個 CA,並為我的 Exchange 2013 伺服器創建了一個證書。儘管證書在 Exchange 上安裝良好,但 Exchange 始終顯示“吊銷檢查失敗”。(我嘗試了 10 種不同的證書)

我的 CRL 在 LAN 上是可見的,並且可以從交換伺服器上的 Web 瀏覽器中檢索該文件。在 TinyCA2 中設置的 CA 證書將“ http://myserver.com/crl.pem ”列為 CRL。

交換外殼顯示:

Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                    System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {newmail.myco.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MyCo, C=CA
NotAfter           : 2/26/2026 9:21:09 PM
NotBefore          : 2/29/2016 9:21:09 PM
PublicKeySize      : 2048
RootCAType         : GroupPolicy
SerialNumber       : 03
Services           : IMAP, POP
Status             : RevocationCheckFailure
Subject            : C=CA, S=Michigan, L=Detroit, O=MYCO, OU=IT3, CN=newmail.myco.com
Thumbprint         : 3EF2C92F4D3747B9

和 certutil 顯示:

 Serial: 04
 SubjectAltName: No alternative name
 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
The revocation function was unable to check revocation for the certificate. 0x80
092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

我還需要做些什麼來讓交易所接受證書嗎?為什麼不接受 CRL?

我們曾經有一個 Windows CA,但我們已將其關閉。正在嘗試切換到 Linux。關於 Windows CA 不再處於活動狀態,我有什麼必須告訴 DC 的嗎?(Exchange 是否檢查舊的 Windows CA 的 CRL?)


更新:葉子證書的“certutil -urlfetch -verify”結果:

Issuer:
   CN=My Company
   C=CA
 Name Hash(sha1): b6b02cfd24a47572f68a85a398322f978989d9ef
 Name Hash(md5): 5333e962243f00751ee6fcf5b62973b9
Subject:
   C=CA
   S=State
   L=City
   O=mydomain
   OU=IT4
   CN=newmail.mydomain.com
 Name Hash(sha1): 1a7840c8a10059e8e2b87e32f32426dd6ad3d60a
 Name Hash(md5): 1b0581a411b0c14d057203950e3aca98
Cert Serial Number: 04

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40
 Issuer: CN=My Company, C=CA
 NotBefore: 2/29/2016 9:45 PM
 NotAfter: 2/26/2026 9:45 PM
 Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
 Serial: 04
 SubjectAltName: No alternative name
 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
 Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
 ----------------  Certificate AIA  ----------------
 No URLs "None" Time: 0
 ----------------  Certificate CDP  ----------------
 No URLs "None" Time: 0
 ----------------  Certificate OCSP  ----------------
 No URLs "None" Time: 0
 --------------------------------

CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
 Issuer: CN=My Company, C=CA
 NotBefore: 2/29/2016 8:17 PM
 NotAfter: 2/26/2026 8:17 PM
 Subject: CN=My Company, C=CA
 Serial: 86278a3832426d41
 SubjectAltName: No alternative name
 353c6f365f9d7b2e623b7c228e937adac5ee3a2b
 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
 Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
 Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 ----------------  Certificate AIA  ----------------
 No URLs "None" Time: 0
 ----------------  Certificate CDP  ----------------
 No URLs "None" Time: 0
 ----------------  Certificate OCSP  ----------------
 No URLs "None" Time: 0
 --------------------------------

Exclude leaf cert:
 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
Full chain:
 b8408cac425b1604c28a619181394d7f057607e0
 Issuer: CN=My Company, C=CA
 NotBefore: 2/29/2016 9:45 PM
 NotAfter: 2/26/2026 9:45 PM
 Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
 Serial: 04
 SubjectAltName: No alternative name
 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
The revocation function was unable to check revocation for the certificate. 0x80
092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

對於其他有此問題的人:TinyCA 創建沒有 CRL 的證書。雖然這對於大多數 Linux 主機來說都可以,但 Exchange(可能是所有現代 Windows 主機)需要 CRL。所以解決方案是不再使用 TinyCA。相反,請嘗試 XCA(我確認有效)。

我不知道為什麼你會認為我在某種程度上是一個 Windows 問題。看起來您有一個沒有吊銷資訊的有效證書。驗證您的 CRL 是否線上並且 CRL 在證書中。

引用自:https://serverfault.com/questions/760617