Tag: cryptography

Validate the user certificate by copying the certificate from the CA server to the VDA where the application are published. If the CRL check fails because if you are not able to access the CRL path from the VDA, all the certificate in the certificate chain should be validated.

To verify the the certificate validation, run the below command on the VDA from an elevated command prompt.

Certutil -urlfetch -verify “name of the user certificate” > Certname.txt

The output will look like something below.

—————- Certificate AIA —————-

Wrong Issuer “Certificate (0)” Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Verified “Certificate (1)” Time: 0

[0.1] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Failed “AIA” Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/Root.lab.com_lab-ROOT-CA.crt

—————- Certificate CDP —————-

Expired “Base CRL (01)” Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Failed “CDP” Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/lab-ROOT-CA.crl

• As you see in the above sample output, all of the CDP paths of the certificate have an issue and for AIA only the LDAP path is verified.
• Even if one of the paths ( File, LDAP or http) for CDP and AIA is verified you can ignore the rest of the failures.
• If you are seeing errors and failures with the all the paths, we need to fix the issue with the CDP and AIA paths of the CA.
• Once all the above issue with the certificate is fixed, make sure the from the VDA server you are able to access the LDAP and Http path for CDP and AIA.
• If the CDP and AIA paths are not accessible from the VDA server, the FAS authentication will fail.

Validate the user certificate by copying the certificate from the CA server to the VDA where the application are published. If the CRL check fails because if you are not able to access the CRL path from the VDA, all the certificate in the certificate chain should be validated.

To verify the the certificate validation, run the below command on the VDA from an elevated command prompt.

Certutil -urlfetch -verify “name of the user certificate” > Certname.txt

The output will look like something below.

—————- Certificate AIA —————-

Wrong Issuer “Certificate (0)” Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Verified “Certificate (1)” Time: 0

[0.1] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Failed “AIA” Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/Root.lab.com_lab-ROOT-CA.crt

—————- Certificate CDP —————-

Expired “Base CRL (01)” Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Failed “CDP” Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/lab-ROOT-CA.crl

• As you see in the above sample output, all of the CDP paths of the certificate have an issue and for AIA only the LDAP path is verified.
• Even if one of the paths ( File, LDAP or http) for CDP and AIA is verified you can ignore the rest of the failures.
• If you are seeing errors and failures with the all the paths, we need to fix the issue with the CDP and AIA paths of the CA.
• Once all the above issue with the certificate is fixed, make sure the from the VDA server you are able to access the LDAP and Http path for CDP and AIA.
• If the CDP and AIA paths are not accessible from the VDA server, the FAS authentication will fail.