Certutil

Certutil.exe, a utility in the Windows Server 2003 Administration Pack (admin-pak.msi), allows a PKI administrator to manage a PKI from the command line. One of the abilities of certutil.exe is to verify certificate chaining and CRL retrieval. By using the command certutil -verify -urlfetch CertificateFileName, you can verify the ability to retrieve CA certificates and CRLs for the entire certificate chain of the CertificateFileName file.

For example, if you were to verify the certificate brian.cer by typing certutil —verify —urlfetch brian.cer, the output would fetch each CDP and AIA URL in the certificate and report on the status of the URL. A validated LDAP URL for a base CRL appears like this:

Verified "Base CRL (36)" Time: 0

[1.0] ldap:///CN=Fabrikam%20%Issuing%20CA,CN=IssuingCA, CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration, DC=fabrikam,DC=com?certificateRevocationList?base?objectClass= cRLDistributionPoint

Likewise, a validated HTTP URL for a base CRL appears like this:

Verified "Base CRL (36)" Time: 0

[0.0] http://www.fabrikam.com/CertData/Fabrikam%20Issuing%20CA.crl

The output reports on every URL in every certificate in the certificate chain, from the examined certificate to the certificate chain's root CA. If certutil is unable to connect to one of the referenced URLs, the output indicates the following:

Failed "CDP" Time: 0

Error retrieving URL: Error 0x800701f6 (WIN32: 502) http://www.fabrikam.com/CertEnroll/Fabrikam%20Issuing%20CA.crl

If any errors are encountered by certutil, the final lines of the output reports that revocation checking failed, as shown here:

ERROR: Verifying leaf certificate revocation status returned. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)

CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

Was this article helpful?

0 0

Post a comment