|
Posted by Vsevolod on September 5, 2005, 11:55 pm
Please log in for more thread options
Hello,
I was adviced to discuss my problem here by Bernard Cheah. As I have
understood
IIS 5 & IIS 6 build certificate chain differently if it has intermediate
CA's. IIS 6 requires to install all intermediate CA certificates on server
side, if they aren't hear we have such error on client side:
HTTP Error 403.16 - Forbidden: Client certificate is ill-formed or is not
trusted by the Web server
I have several questions about IIS 6 behavior.
1. Could I change the behavior and on which level ?
2. If not then how long will be build certificate chain when client's
certificate has more 5 intermediate CAs and there are several thousands of
intermediate certificates on the WEB Server side.
Thanks.
BR,
Vsevolod.
|
|
Posted by Paul Adare on September 6, 2005, 5:53 am
Please log in for more thread options
microsoft.public.windows.server.security news group, =?Utf-8?B?
> Hello,
> I was adviced to discuss my problem here by Bernard Cheah. As I have
> understood
> IIS 5 & IIS 6 build certificate chain differently if it has intermediate
> CA's. IIS 6 requires to install all intermediate CA certificates on server
> side, if they aren't hear we have such error on client side:
Your understanding is wrong. You do not need all the intermediate CA
certificates to be installed, you only need the root certificates
installed in the local computer's Trusted Certification Authorities
store. See KB332077.
>
> HTTP Error 403.16 - Forbidden: Client certificate is ill-formed or is not
> trusted by the Web server
>
> I have several questions about IIS 6 behavior.
> 1. Could I change the behavior and on which level ?
You cannot, but see about regarding your misunderstanding of the
problem.
> 2. If not then how long will be build certificate chain when client's
> certificate has more 5 intermediate CAs
As above, though why in the world someone would build a CA hierarchy
that deep is beyond me.
> and there are several thousands of
> intermediate certificates on the WEB Server side.
I don't understand what you mean here, in any case, as above, you don't
need to install the intermediate certs, only the root certs.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
|
|
Posted by Vsevolod on September 6, 2005, 5:08 am
Please log in for more thread options Hello,
First of all. I'm sorry for my English. I'll try to explain my trouble
again.
"Paul Adare" wrote:
> Your understanding is wrong. You do not need all the intermediate CA
> certificates to be installed, you only need the root certificates
> installed in the local computer's Trusted Certification Authorities
> store. See KB332077.
I've read KB332077. I'm glad if it would be thus as written in this
article and I hasn't my problem. May be my understanding is wrong. But
without intermediate CA's certificates on IIS 6 I have "The page requires a
valid SSL client certificate". After adding it everyting is Ok. IIS 5 works
great without it. In IIS 5 I have only root CA certificate indeed. Where am
I wrong ?
Thanks.
BR,
Vsevolod.
|
|
Posted by Brian Komar [MVP] on September 6, 2005, 9:47 pm
Please log in for more thread options Vsevolod@discussions.microsoft.com says...
> Hello,
>
> First of all. I'm sorry for my English. I'll try to explain my trouble
> again.
>
>
> "Paul Adare" wrote:
>
> > Your understanding is wrong. You do not need all the intermediate CA
> > certificates to be installed, you only need the root certificates
> > installed in the local computer's Trusted Certification Authorities
> > store. See KB332077.
>
> I've read KB332077. I'm glad if it would be thus as written in this
> article and I hasn't my problem. May be my understanding is wrong. But
> without intermediate CA's certificates on IIS 6 I have "The page requires a
> valid SSL client certificate". After adding it everyting is Ok. IIS 5 works
> great without it. In IIS 5 I have only root CA certificate indeed. Where am
> I wrong ?
<snip>
As Paul stated, the only certificate that *must* be installed at the
client is the root CA certificate, but this assumes that you have
correctly configured the AIA and CDP extensions for *all* CAs in the
certificate path.
It sounds like you have issues building the chain (which installing the
certs manually would fix, but is not recommended).
Run *certutil -verify -urlfetch <certfile.cer> where certfile.cer is the
SSL certificate that you are evaluating. Run this at a Win2k3 or Winxp
client (with the adminpak installed)
The output will show you the errors.
Brian
|
|
Posted by Vsevolod on September 7, 2005, 6:22 am
Please log in for more thread options Hello,
"Brian Komar [MVP]" wrote:
> As Paul stated, the only certificate that *must* be installed at the
> client is the root CA certificate, but this assumes that you have
> correctly configured the AIA and CDP extensions for *all* CAs in the
> certificate path.
>
My certificate has no AIA and CDP extensions.
> It sounds like you have issues building the chain (which installing the
> certs manually would fix, but is not recommended).
>
> Run *certutil -verify -urlfetch <certfile.cer> where certfile.cer is the
> SSL certificate that you are evaluating. Run this at a Win2k3 or Winxp
> client (with the adminpak installed)
>
> The output will show you the errors.
>
I have lanched certutil and received the result.
Issuer:
O=Kiev branch ( RBU )
Subject:
CN=Vsevolod Cherevatenko
OU=ELBA support sector
O=Kiev branch
E=vsevolod.cherevatenko@RBU-Kiev.Raiffeisen.at
Cert Serial Number: e49da04ee19b988342a0
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
CertContext[0][0]: dwInfoStatus=1 dwErrorStatus=1000040
Issuer: O=Kiev branch ( RBU )
Subject: CN=Vsevolod Cherevatenko, OU=ELBA support sector, O=Kiev branch,
E=vsevolod.cherevatenko@RBU-Kiev.Raiffeisen.at
Serial: e49da04ee19b988342a0
f9 9b 87 65 d6 a0 34 41 21 ec 71 ed a0 fd 30 95 d2 92 c6 0d
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
f9 9b 87 65 d6 a0 34 41 21 ec 71 ed a0 fd 30 95 d2 92 c6 0d
Missing Issuer: O=Kiev branch ( RBU )
Issuer: O=Kiev branch ( RBU )
Subject: CN=Vsevolod Cherevatenko, OU=ELBA support sector, O=Kiev branch,
E=vsevolod.cherevatenko@RBU-Kiev.Raiffeisen.at
Serial: e49da04ee19b988342a0
f9 9b 87 65 d6 a0 34 41 21 ec 71 ed a0 fd 30 95 d2 92 c6 0d
A certificate chain could not be built to a trusted root authority.
0x800b010a (-2146762486)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
O=Kiev branch ( RBU )
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
After that I decided to make test with Microsoft CA. I installed TEST CA
and subordinate Branch CA. Then I issued certificate for WEB Server by TEST
CA and client's one by Branch CA. This one has AIA and CDP extensions.
BUT !!! without Branch CA certificate placed to (Intermediate
Certification\Cerificates in Local computer storage) on WER Server side when
I open WEB Site that requires client certificates I receive the same error
403.16.
It's interesting certutil shows no errors.
Issuer:
CN=Branch CA
Subject:
CN=321
Cert Serial Number: 61162f71000000000003
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 5 Hours, 23 Minutes, 23 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 5 Hours, 23 Minutes, 23 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Branch CA
Subject: CN=321
Serial: 61162f71000000000003
69 cf cd 05 af e9 c5 4d b3 6c 9f f3 dd 7a c8 32 9c d2 a3 b0
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://web/CertEnroll/web_Branch%20CA.crt
Verified "Certificate (0)" Time: 0
[1.0] file://\web\CertEnroll\web_Branch CA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (6)" Time: 0
[0.0] http://web/CertEnroll/Branch%20CA.crl
Verified "Delta CRL (6)" Time: 0
[0.0.0] http://web/CertEnroll/Branch%20CA+.crl
Verified "Delta CRL (6)" Time: 0
[0.0.1] file://\web\CertEnroll\Branch CA+.crl
Verified "Base CRL (6)" Time: 0
[1.0] file://\web\CertEnroll\Branch CA.crl
Verified "Delta CRL (6)" Time: 0
[1.0.0] http://web/CertEnroll/Branch%20CA+.crl
Verified "Delta CRL (6)" Time: 0
[1.0.1] file://\web\CertEnroll\Branch CA+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (6)" Time: 0
[0.0] http://web/CertEnroll/Branch%20CA+.crl
OK "Delta CRL (6)" Time: 0
[1.0] file://\web\CertEnroll\Branch CA+.crl
--------------------------------
CRL 6:
Issuer: CN=Branch CA
7f 52 f9 ad bf 83 a3 84 b4 49 ac ce a5 47 ee 12 20 a5 03 c8
Delta CRL 6:
Issuer: CN=Branch CA
fa 63 24 78 73 94 f8 4d e5 f4 bd d6 b4 f6 7b 9d 81 9e 50 4d
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=TEST CA
Subject: CN=Branch CA
Serial: 6105062200000000000d
Template: SubCA
74 a7 70 ee 61 e8 cd c5 aa 93 17 77 4d 7d 6c ac 92 c9 a3 32
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://fw/CertEnroll/fw_TEST%20CA.crt
Verified "Certificate (0)" Time: 0
[1.0] file://\fw\CertEnroll\fw_TEST CA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (4)" Time: 0
[0.0] http://fw/CertEnroll/TEST%20CA.crl
Verified "Base CRL (4)" Time: 0
[1.0] file://\fw\CertEnroll\TEST CA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 4:
Issuer: CN=TEST CA
f0 11 33 d0 2c 1d ce 14 ff 94 45 d3 54 2b a4 60 eb 2f 9e 68
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=TEST CA
Subject: CN=TEST CA
Serial: 76f1fd857d7d409a46d19afcac7ec11f
83 42 1a e7 f6 c7 34 6f e4 79 b4 8c 40 c2 9f 6d 75 aa 03 01
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (4)" Time: 0
[0.0] http://fw/CertEnroll/TEST%20CA.crl
Verified "Base CRL (4)" Time: 0
[1.0] file://\fw\CertEnroll\TEST CA.crl
--------------------------------
Exclude leaf cert:
e8 f1 f6 27 33 5c f3 01 c2 4f 60 a0 df 9b 27 1f 9e 5e 2e 86
Full chain:
8d 7b dc 13 75 1b 9f cd 58 64 51 54 cb 17 4a ef 59 c0 40 2e
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
I'm sorry but my question is still open. Why on ISS 5 I have no problems
with it and could you explain where am I wrong.
Thanks.
Vsevolod.
|
| Similar Threads | Posted | | IIS 6 behavior on checking clients' certificates (again) | September 16, 2005, 4:47 am |
| IIS 6 behavior on checking clients' certificates (again 2) | September 29, 2005, 12:40 am |
| bypass traverse checking | August 9, 2005, 3:35 pm |
| Checking group security | October 5, 2007, 10:31 am |
| What security policies effect tasklist.exe password prompt behavior? | February 29, 2008, 9:29 am |
| clients separated from DC by firewall | June 7, 2007, 5:22 pm |
| Radius with dynamic dns clients | September 25, 2008, 4:14 pm |
| Auto-renewing certs w/ VPN clients | February 15, 2006, 9:44 am |
| Win2003 Server automated password changes. What about Mac clients | March 7, 2008, 12:32 pm |
| vista domain clients no longer see USB drives | June 9, 2008, 7:05 pm |
|
XML Sitemap