服务器 Gind.cn
  1. 服务器 Gind.cn
  3. TinyCA生成的证书被Exchange 2013拒绝
Intereting Posts
强制closures后服务器端口仍然打开? VirtualHosts内部或外部的目录? 如何设置Bonjourfunction通过使用Mac OS X的VPN连接 – 山狮服务器? Apache“没有权限” – 403禁止 在XenApp环境中运行QuickBooks OpenBSD存储有关伪接口的信息 Xen和Turbo Boost RabbitMQpipe理控制台不工作 从外出电子邮件中删除X-SA-Exim Headers MIMEtypes被iisreset删除 Exchange 2013:单个用户无法发送邮件 ESX主机升级 2 ISP从2 bgps分离networking 如何使用Amazon SES接收电子邮件 VMWare串行端口

TinyCA生成的证书被Exchange 2013拒绝

我使用TinyCA2创build了一个CA,并为我的Exchange 2013服务器创build了一个证书。 虽然证书在交换上安装得很好,但Exchange总是说“撤消检查失败”。 (我已经尝试了10个不同的证书)

我的CRL在LAN上可见,并且可以从交换服务器上的Web浏览器中检索文件。 在TinyCA2中设置的CA证书列出了“ http://myserver.com/crl.pem ”作为CRL。

Exchangeshell显示: 

Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {newmail.myco.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=MyCo, C=CA NotAfter : 2/26/2026 9:21:09 PM NotBefore : 2/29/2016 9:21:09 PM PublicKeySize : 2048 RootCAType : GroupPolicy SerialNumber : 03 Services : IMAP, POP Status : RevocationCheckFailure Subject : C=CA, S=Michigan, L=Detroit, O=MYCO, OU=IT3, CN=newmail.myco.com Thumbprint : 3EF2C92F4D3747B9

和certutil显示: 

  Serial: 04 SubjectAltName: No alternative name 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 The revocation function was unable to check revocation for the certificate. 0x80 092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK) ------------------------------------ Revocation check skipped -- no revocation information available Cert is an End Entity certificate Cannot check leaf certificate revocation status CertUtil: -verify command completed successfully.

还有什么我需要做交换接受证书吗? 为什么CRL不被接受?

我们曾经有一个Windows CA,但我们已经closures它。 试图切换到Linux。 有什么我必须告诉DC关于Windows CA不再活跃? (Exchange是否检查旧的Windows CA的CRL?)

更新:叶证书的“certutil -urlfetch -verify”的结果: 

 Issuer: CN=My Company C=CA Name Hash(sha1): b6b02cfd24a47572f68a85a398322f978989d9ef Name Hash(md5): 5333e962243f00751ee6fcf5b62973b9 Subject: C=CA S=State L=City O=mydomain OU=IT4 CN=newmail.mydomain.com Name Hash(sha1): 1a7840c8a10059e8e2b87e32f32426dd6ad3d60a Name Hash(md5): 1b0581a411b0c14d057203950e3aca98 Cert Serial Number: 04 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40 Issuer: CN=My Company, C=CA NotBefore: 2/29/2016 9:45 PM NotAfter: 2/26/2026 9:45 PM Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com Serial: 04 SubjectAltName: No alternative name 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0 Issuer: CN=My Company, C=CA NotBefore: 2/29/2016 8:17 PM NotAfter: 2/26/2026 8:17 PM Subject: CN=My Company, C=CA Serial: 86278a3832426d41 SubjectAltName: No alternative name 353c6f365f9d7b2e623b7c228e937adac5ee3a2b Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 Full chain: b8408cac425b1604c28a619181394d7f057607e0 Issuer: CN=My Company, C=CA NotBefore: 2/29/2016 9:45 PM NotAfter: 2/26/2026 9:45 PM Subject: C=CA, S=State, L=City, O=mydomain, OU=IT4, CN=newmail.mydomain.com Serial: 04 SubjectAltName: No alternative name 06a85bf14f2747b8cd2c2c4be5bb5ae945f94ed9 The revocation function was unable to check revocation for the certificate. 0x80 092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK) ------------------------------------ Revocation check skipped -- no revocation information available Cert is an End Entity certificate Cannot check leaf certificate revocation status CertUtil: -verify command completed successfully.

我不知道为什么你会认为我不知何故窗户的问题。 看起来你有一个有效的证书,没有撤销信息。 validation您的CRL是否在线以及CRL是否在证书中。

对于有这个问题的其他人:TinyCA创build没有CRL的证书。 虽然大多数Linux主机都可以,但Exchange(也许是所有现代Windows主机)都需要一个CRL。 所以解决scheme不再使用TinyCA。 相反,尝试XCA(我确认了作品)。