Certificate
TinyCA 生成的證書被 Exchange 2013 拒絕
我使用 TinyCA2 創建了一個 CA,並為我的 Exchange 2013 伺服器創建了一個證書。儘管證書在 Exchange 上安裝良好,但 Exchange 始終顯示“吊銷檢查失敗”。(我嘗試了 10 種不同的證書)
我的 CRL 在 LAN 上是可見的,並且可以從交換伺服器上的 Web 瀏覽器中檢索該文件。在 TinyCA2 中設置的 CA 證書將“ http://myserver.com/crl.pem ”列為 CRL。
交換外殼顯示:
Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {newmail.myco.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=MyCo, C=CA NotAfter : 2/26/2026 9:21:09 PM NotBefore : 2/29/2016 9:21:09 PM PublicKeySize : 2048 RootCAType : GroupPolicy SerialNumber : 03 Services : IMAP, POP Status : RevocationCheckFailure Subject : C=CA, S=Michigan, L=Detroit, O=MYCO, OU=IT3, CN=newmail.myco.com Thumbprint : 3EF2C92F4D3747B9
和 certutil 顯示:
Serial: 04 SubjectAltName: No alternative name 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 The revocation function was unable to check revocation for the certificate. 0x80 092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK) ------------------------------------ Revocation check skipped -- no revocation information available Cert is an End Entity certificate Cannot check leaf certificate revocation status CertUtil: -verify command completed successfully.
我還需要做些什麼來讓交易所接受證書嗎?為什麼不接受 CRL?
我們曾經有一個 Windows CA,但我們已將其關閉。正在嘗試切換到 Linux。關於 Windows CA 不再處於活動狀態,我有什麼必須告訴 DC 的嗎?(Exchange 是否檢查舊的 Windows CA 的 CRL?)
更新:葉子證書的“certutil -urlfetch -verify”結果:
Issuer: CN=My Company C=CA Name Hash(sha1): b6b02cfd24a47572f68a85a398322f978989d9ef Name Hash(md5): 5333e962243f00751ee6fcf5b62973b9 Subject: C=CA S=State L=City O=mydomain OU=IT4 CN=newmail.mydomain.com Name Hash(sha1): 1a7840c8a10059e8e2b87e32f32426dd6ad3d60a Name Hash(md5): 1b0581a411b0c14d057203950e3aca98 Cert Serial Number: 04 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40 Issuer: CN=My Company, C=CA NotBefore: 2/29/2016 9:45 PM NotAfter: 2/26/2026 9:45 PM Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com Serial: 04 SubjectAltName: No alternative name 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0 Issuer: CN=My Company, C=CA NotBefore: 2/29/2016 8:17 PM NotAfter: 2/26/2026 8:17 PM Subject: CN=My Company, C=CA Serial: 86278a3832426d41 SubjectAltName: No alternative name 353c6f365f9d7b2e623b7c228e937adac5ee3a2b Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 Full chain: b8408cac425b1604c28a619181394d7f057607e0 Issuer: CN=My Company, C=CA NotBefore: 2/29/2016 9:45 PM NotAfter: 2/26/2026 9:45 PM Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com Serial: 04 SubjectAltName: No alternative name 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 The revocation function was unable to check revocation for the certificate. 0x80 092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK) ------------------------------------ Revocation check skipped -- no revocation information available Cert is an End Entity certificate Cannot check leaf certificate revocation status CertUtil: -verify command completed successfully.
對於其他有此問題的人:TinyCA 創建沒有 CRL 的證書。雖然這對於大多數 Linux 主機來說都可以,但 Exchange(可能是所有現代 Windows 主機)需要 CRL。所以解決方案是不再使用 TinyCA。相反,請嘗試 XCA(我確認有效)。
我不知道為什麼你會認為我在某種程度上是一個 Windows 問題。看起來您有一個沒有吊銷資訊的有效證書。驗證您的 CRL 是否線上並且 CRL 在證書中。