Here is our infrastructure:

Offline root - Server 2012 Standard
Intermediate CA that issues certificates - Server 2012 Standard
PKI server (CDP and AIA over http url) - Server 2012 Standard

Here is the URL configuration for CDP and AIA:

CDP: http://pki.domain.org/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA: http://pki.domain.org/<ServerDNSName>_<CaName><CertificateName>.crt

CRL has 180 day validity period and is generally renewed every 5 months from the offline root CA

I am trying to set up Hyper-V replication over HTTPS so I published a certificate and everything seems fine up to the point where I hit the apply button in the Hyper-V console and it comes up with the error in the following image (thumbprint removed just cuz).

Not sure if this is relevant but I am running Hyper-V Server 2012 but also recreated this issue on Server 2012 R2 Datacenter. I have run the tests described in the following paragraph on both servers and both had the same results.

I might add that If I choose a cert from a previously set up 2008 R2 Standard CA Root/issuing server (remnants from previous admin) that is used for Client and Server Authentication, I do not receive this error although I am not familiar with how that previous setup was accomplished except that it is a standalone.

I have gone back and forth with different certutil commands (such as urlfetch, user urlfetch, and url retrieval tool) and the results are always successful and always says that leaf certificate revocation check passed. I have even run this as SYSTEM and NETWORKSERVICE accounts and always seem to have successful results. I do not want to use the workaround of bypassing the CRL check for fear that there is a greater underlying problem. I have recently created a new CRL from the offline root and copied to the CDP and AIA directory so the CRL should not be expired (nor were expiration errors reported). I will admit that I'm novice at certificate authority management so please excuse my ignorance. Please let me know if there is any more information needed or correct me if I misspoke in any part. Thank you in advance for your time!

• Edited by Scott_42 Monday, February 17, 2014 8:51 PM

export Hyper-V replication certificate to a file and copy it to a client from which you are trying to connect. Then run the following command against exported certificate file:

certutil -verify -urlfetch path\certfilename.cer

and show us command results.

Thank you for the response! I am only allowed to export this certificate as a PFX and not a CER so I cannot run the utility against it. I can only export the leaf certificate in this format. Would you like me to do that and provide you with the output? Although the output for that is simply stating that the checks to the CRL succeed.

Hi,

If you see a revocation checking error message, run certutil verify urlfetch C:\filename.cer >urlfetch.txt. Open urlfetch.txt and find the CDP sections of the output. In this section, examine each path and figure out why this client isnt able to reach the path. A client doesnt need to be able to reach all paths, but does need to be able to reach at least one path for each CA.

Please also refer to the below links for more details:

How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in

http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

Regards,

Yan Li

I've already taken that step. To be sure, here are my results from for the Certificate AIA and CDP with the domain and names generalized for obscurity:

----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.domain.org/Offline.domain.org_domain-CA-ROOT-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (07)" Time: 0
    [0.0] http://pki.domain.org/domain-CA-ROOT-CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0

I have confirmed that the client can access the CRL and AIA alike through my web browser without any issues. Is it possible that this is a bug in Hyper-V 2012 (and R2) and it doesn't play nice with a CRL that's hosted on a PKI URL? Hopefully I'm missing something. Any thoughts? I also went through all of the suggestions on the link and everything looks normal. Thanks!

Just out of curiosity, is it pretty common to have to disable the revocation check for Hyper-V replication? It seems like a lot of people just use the self-signed certs and then run the following registry edits to bypass the checks:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
I just want to make sure that my CA is healthy. Nothing else seems to fail and nothing else seems to have a problem at this time except for the Hyper-V Replication revocation check (what a mouthful).
This is all so whacky to me!

• Edited by Scott_42 Monday, February 24, 2014 8:46 PM

> is it pretty common to have to disable the revocation check for Hyper-V replication?

it is uncommon and very bad practice, because you violate PKI principles by disabling revocation checking.

we would like to see the full output from certutil command.

Thank you so much for bearing with me!

Okay, here is the full output of the urlfetch (names, hashes, serials, etc... obscured blah blah):

Issuer:
    CN=domain-CA-ROOT-CA
  Name Hash(sha1): ############################
  Name Hash(md5): #########################
Subject:
    CN=domain-CA-SUB-CA
    DC=domain
    DC=org
  Name Hash(sha1): ##############################
  Name Hash(md5): ###########################
Cert Serial Number: ##############################

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Weeks, 47 Minutes, 5 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Weeks, 47 Minutes, 5 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=domain-CA-ROOT-CA
  NotBefore: 12/26/2012 11:19 AM
  NotAfter: 12/26/2022 11:29 AM
  Subject: CN=domain-CA-SUB-CA, DC=domain, DC=org
  Serial: ############################
  Template: SubCA
  #############################
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.domain.org/CA-Offline.domain.org_domain-CA-ROOT-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (07)" Time: 0
    [0.0] http://pki.domain.org/domain-CA-ROOT-CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 07:
    Issuer: CN=domain-CA-ROOT-CA
    ThisUpdate: 2/17/2014 10:37 AM
    NextUpdate: 8/16/2014 10:57 PM
    ################################

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=domain-CA-ROOT-CA
  NotBefore: 12/26/2012 10:46 AM
  NotAfter: 12/26/2032 10:56 AM
  Subject: CN=domain-CA-ROOT-CA
  Serial: ###########################
  ##############################
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  ##############################
Full chain:
  #############################
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

On Tue, 25 Feb 2014 17:23:02 +0000, Scott_42 wrote:

Cert is a CA certificate

You're checking the wrong certificate, you need to be checking the
end-entity certificate that you're trying to use for H

Well I'm obviously dumb. I was exporting it with the private key before which obviously keeps me from exporting it as a DER X.509 (.CER). Here is the real output below. Once again, I really appreciate your patience with me!!

So the error says that I can't access the CRL with the domain-CA-SUB-CA+.crl which is true (can't access that through the browser). However, I am able to access domain-CA-SUB-CA.crl through the browser. What would be the difference since they both have the same extension and .crl has been added as a MIME type in IIS? I did noticed that it seems to be the '+' character in the name that is throwing off the url. Any thoughts?

Issuer:
    CN=domain-CA-SUB-CA
    DC=domain
    DC=org
  Name Hash(sha1): ##############################
  Name Hash(md5): ##############################
Subject:
    CN=*.domain.org
  Name Hash(sha1): ##############################
  Name Hash(md5): ##############################
Cert Serial Number: ##############################

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 8 Days, 46 Minutes, 34 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 8 Days, 46 Minutes, 34 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=domain-CA-SUB-CA, DC=domain, DC=org
  NotBefore: 2/24/2014 12:46 PM
  NotAfter: 2/24/2016 12:56 PM
  Subject: CN=*.domain.org
  Serial: ##############################
  SubjectAltName: DNS Name=*.domain.org
  Template: Hyper-V Replica
  ##############################
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.domain.org/CA.domain.org_domain-CA-SUB-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (01b0)" Time: 0
    [0.0] http://pki.domain.org/domain-CA-SUB-CA.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
    [0.0.0] http://pki.domain.org/domain-CA-SUB-CA+.crl

  ----------------  Base CRL CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
    http://pki.domain.org/domain-CA-SUB-CA+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 01b0:
    Issuer: CN=domain-CA-SUB-CA, DC=domain, DC=org
    ThisUpdate: 2/20/2014 1:35 PM
    NextUpdate: 2/28/2014 1:55 AM
    ##############################
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=domain-CA-ROOT-CA
  NotBefore: 12/26/2012 11:19 AM
  NotAfter: 12/26/2022 11:29 AM
  Subject: CN=domain-CA-SUB-CA, DC=domain, DC=org
  Serial: ##############################
  Template: SubCA
  bc39e98cca24eaac7a96840c1a49a95acdeea7f4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://pki.domain.org/CA-Offline.domain.org_domain-CA-ROOT-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (07)" Time: 0
    [0.0] http://pki.domain.org/domain-CA-ROOT-CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 07:
    Issuer: CN=domain-CA-ROOT-CA
    ThisUpdate: 2/17/2014 10:37 AM
    NextUpdate: 8/16/2014 10:57 PM
    ##############################

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=domain-CA-ROOT-CA
  NotBefore: 12/26/2012 10:46 AM
  NotAfter: 12/26/2032 10:56 AM
  Subject: CN=domain-CA-ROOT-CA
  Serial: ##############################
  ##############################
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  ##############################
Full chain:
  ##############################
  Issuer: CN=domain-CA-SUB-CA, DC=domain, DC=org
  NotBefore: 2/24/2014 12:46 PM
  NotAfter: 2/24/2016 12:56 PM
  Subject: CN=*.domain.org
  Serial: ##############################
  SubjectAltName: DNS Name=*.domain.org
  Template: Hyper-V Replica
  ##############################
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

• Edited by Scott_42 Tuesday, February 25, 2014 8:38 PM

Here's an update:

I added the following lines to my web.config:

    <security>

            <requestFiltering allowDoubleEscaping="true" />

    </security>

According to this site:

http://www.ifinity.com.au/Blog/EntryId/60/404-Error-in-IIS-7-when-using-a-Url-with-a-plus-sign-in-the-path

I guess since IIS 7, the '+' was no longer considered a legal character. However, they suggest that this workaround is a potential security risk. I don't know how else to work around this but I did run the certutil -verify and I no longer get the error and can access it through a browser. The CRL check passes in Hyper-V now as well. Any thoughts?

> However, they suggest that this workaround is a potential security risk.

Double escaping is not a security risk and it is the only way to enable plus signs in the URL in IIS7+.

Thank you so much! Also, big thanks to all for sticking with me through this and my naivety.

CRL checking code in W2012 is odd. If both ldap and http paths for CRL are specified in certificate, when ldap server is unavailable (typically for server out of domain) http url is not even checked.

On Sat, 4 Apr 2015 23:44:54 +0000, LeaveItAlone wrote:

CRL checking code in W2012 is odd. If both ldap and http paths for CRL are specified in certificate, when ldap server is unavailable (typically for server out of domain) http url is not even checked.

That is definitely not the