Configuré una nueva CA usando TinyCA. Al crear la entidad emisora de certificados, utilicé un nombre de host interno para la URL de crl exactamente como se indica a continuación: enlace
Y he exportado la CRL a esa ubicación y confirmé que está visible en la red.
Ahora, cuando emito certificados (en este caso para el intercambio), acepta el certificado pero dice que la verificación de la revocación falla. Usando el certificado, se sugiere que la información de CRL falta en el certificado de hoja. (Ver salida de certutil de un certificado hoja abajo). Del mismo modo, certutil dice que el certificado de mi CA no tiene URL de CRL.
¿Por qué faltan los URL de CRL de mi CA y de mis certificados de hoja? Cuando veo los detalles de CA en Tiny CA, muestra Netscape CA revocation UR L como enlace como se introdujo originalmente.
Issuer:
CN=My Company
C=CA
Name Hash(sha1): b6b02cfd24a47572f68a85a398322f978989d9ef
Name Hash(md5): 5333e962243f00751ee6fcf5b62973b9
Subject:
C=CA
S=State
L=City
O=mydomain
OU=IT4
CN=newmail.mydomain.com
Name Hash(sha1): 1a7840c8a10059e8e2b87e32f32426dd6ad3d60a
Name Hash(md5): 1b0581a411b0c14d057203950e3aca98
Cert Serial Number: 04
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40
Issuer: CN=My Company, C=CA
NotBefore: 2/29/2016 9:45 PM
NotAfter: 2/26/2026 9:45 PM
Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
Serial: 04
SubjectAltName: No alternative name
06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
Issuer: CN=My Company, C=CA
NotBefore: 2/29/2016 8:17 PM
NotAfter: 2/26/2026 8:17 PM
Subject: CN=My Company, C=CA
Serial: 86278a3832426d41
SubjectAltName: No alternative name
353c6f365f9d7b2e623b7c228e937adac5ee3a2b
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
Full chain:
b8408cac425b1604c28a619181394d7f057607e0
Issuer: CN=My Company, C=CA
NotBefore: 2/29/2016 9:45 PM
NotAfter: 2/26/2026 9:45 PM
Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com
Serial: 04
SubjectAltName: No alternative name
06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9
The revocation function was unable to check revocation for the certificate. 0x80
092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Revocation check skipped -- no revocation information available
Cert is an End Entity certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.