Adding keys to EFS files - "The revocation function unable to check revocation"

Similar Messages

• I can edit on Premiere Pro 6 files, but after a dozen keystrokes, the space bar and cursor keys stop working while the save function works

  I can edit on Premiere Pro 6 files, but after a dozen keystrokes, the space bar and cursor keys stop working while the save function, render workspace function, export file are still operational. How can I fix it so I may complete my assignment?
  Besides DaVinci Resolve, Adobe Creative Suite 6 is the only software on the machine. I am using Windows 7 Professional 64-bit Operating System on AMD FX 6100 six-Core Processor at 3.31gHz and 32 GB RAM memory. There are two SLI-bridged GTX680 NVidia cards.
  The software was very stable for the last six months, working with 720P proxy files from 2.5K masters (Blackmagic Design Camera). I am working on a feature-length project that exceeds 1000 edits. I have broken the file into 2 one hour segments.
  I have deactivated the software before reinstalling the entire OS from scratch. PP6 was very stable for 48 hours. Then the freezing space bar returns. After a dozen strokes into the project, same problem.  I have made cache files store next to originals, I have deleted preview files if they were corrupted and causing instability. Am I missing something?
  I have Microsoft Security Essentials for virus protection. I double checked the memory for damage/defect. Nothing says that the motherboard or other components are damaged.
  I am in film competition overseas and need to have deliverables in less than a month's time.  I lost the last two weeks troubleshooting and this crisis came at an inopportune moment of the project.
  Any assistance would be greatly appreciated.

  Still getting software freezes but found a way to mitigate for the mean time.
  Upon launching Adobe Premiere Pro, hit CTRL-ALT-DEL to launch TaskManager as well.
  You will want to highlight Adobe QT32 Server.exe
  Right click and select "End Process Tree"
  You will get considerable stability in the program, long enough to get timing of cuts done. Be sure to save often.
  If the program freezes, do not hit Save. You definitely want to avoid saving the corruption into your TimeLine
  CTRL-ALT-DEL to relaunch the TaskManager and highlight Adobe Premiere Pro.exe
  Right-click to "End Process"
  No need to reboot the whole system; just launch Premiere Pro again and continue with the session. Note that your work reverted to Last Save.
  Hope this helps until the bug is fixed.

• Errors with SharePoint Security Token Service: "The revocation function was unable to check revocation for the certificate"

  I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
  Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
  The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service.  This is apparent when executing a search, accessing
  the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site.  I've looked at the certificate assigned to that site and everything appears to be in order. 
  It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
  What I’ve tried so far:
  I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config.  Both appear to be configured correctly such that the root CAs can be validated.
  Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause.  I’ve also verified the service accounts reporting the error, do have access to the configuration database.
  Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
  MS Tech note.
  So far nothing has worked.  Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
  Log Name:      Application
  Source:        Microsoft-SharePoint Products-SharePoint Foundation
  Date:          2/20/2015 11:19:41 AM
  Event ID:      8311
  Task Category: Topology
  Level:         Error
  Keywords:      
  User:          <SP SERVICE ACCOUNT>
  Computer:      <SHAREPOINTSERVER>
  Description:
  An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
  CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
      <EventID>8311</EventID>
      <Version>14</Version>
      <Level>2</Level>
      <Task>13</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
      <EventRecordID>1611121</EventRecordID>
      <Correlation />
      <Execution ProcessID="10212" ThreadID="10328" />
      <Channel>Application</Channel>
      <Computer><SHAREPOINTSERVER></Computer>
      <Security UserID="<SP SERVICE ACCOUNT>" />
    </System>
    <EventData>
      <Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string2"><STS CERT THUMBPRINT></Data>
      <Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  </Data>
    </EventData>
  </Event>

  Hi Darren,
  This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
  In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
  $rootCert = (Get-SPCertificateAuthority).RootCertificate
  New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
  After running the above commands, perform an IISReset on all servers in the farm.
  More information:
  http://support.microsoft.com/kb/2545744
  Best Regards,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

  Hi,
  We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
  check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=xxxxx.ourdomain.com.  Additional information: Error Verifying Request Signature or Signing Certificate
  A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
  configuration.
  Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
  Thank you for your help
  //Cris

  hello,
  let me recap first:
  you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
  do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
  issued and which are still valid, right?
  The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
  do not contain CRL paths at all.
  So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
  As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
  As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
  Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
  But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
  So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
  The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
  Just a clean self-signed REQUEST.
  That will succeed.
  You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
  ondrej.

• I purchased a IMac in Feb later I added a Seagate ext. hard drive. On April 29 I received an errors that the ext. Drive may be a read only and not backing up files. I'm unable to check disk permission or correct errors. Help would be appreciated.

  I purchased a IMac in Feb later I added a Seagate ext. hard drive. On April 29 I received an errors that the ext. Drive may be a read only and not backing up files. I'm unable to check disk permission or correct errors. Help would be appreciated.

  Click on the hard drive on the desktop, then File > Get Info. What does it say about permissions?  If this is just a data drive you may want to consider "ignore ownership on this volume".
  Otherwise I can only say I have not been reading good things about Seagate drives recently.  I have some of their rock-solid ones from about 10 years ago (still running well), but now...?

• Key F4 to retry the last function / instruction similarly in MS-Office

  Key F4 to retry the last function / instruction similarly in MS-Office ?

  Your question isn't very clear on what you are trying to achieve.
  I'm assuming that you're talking about capturing a user pressing the F4 button in your LabVIEW application to retry the last action/command. I think this would be possible using an event structure to detect the F4 key being pressed and using this to prompt your application to do that action/command again.
  The event structure can be set up as follows:
  How you actually implement this will depend on the architecture of your application - you'll need to remember the last action that was performed (perhaps on a shift register).
  If you're talking about in the LabVIEW development environment itself - I don't think this is possible. You could suggest it on the LabVIEW ideas exchange though!
  Certified LabVIEW Architect, Certified TestStand Developer
  NI Days (and A&DF): 2010, 2011, 2013, 2014
  NI Week: 2012, 2014
  Knowledgeable in all things Giant Tetris and WebSockets

• Subordinate certification authority can't start ADCS service: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

  Hi
  I have 1 rootCA and 1 subordinate CA. I removed one of the locations to publish CRL and after that the ADCS service can't start. I get the warning first:
  Revocation status for a certificate in the chain for CA certificate 2 for siu-SRVDC01-CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline.
  0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
  And then the error:
  Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  siu-SRVDC01-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
  I've read many threads with similar problems but I can't find the solution. The CDP is online. I've run "certutil -url cert.cer" to verify the CDP and AIA and everything is fine. But the service is still not starting.
  See this command too:
  C:\>certutil -verify -urlfetch subCADC01.cer
  Issuer:
      CN=siu-SRVDC02-CA
      DC=siu
      DC=domain
    Name Hash(sha1): 152a7c43f186d9179c1c3256d3a1a0af4a9df892
    Name Hash(md5): b409e417a38bbe04b5800512bd94efac
  Subject:
      CN=siu-SRVDC01-CA
      DC=siu
      DC=domain
    Name Hash(sha1): 5ee421b84c3b18ff134cf2e42226853d78d3409b
    Name Hash(md5): e1a454692361733e45dad374dc14cae3
  Cert Serial Number: 1e0000022c707c76c0a27b315700000000022c
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 1 Hours, 2 Minutes, 16 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 1 Hours, 2 Minutes, 16 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
    NotBefore: 19.03.2015 11:18
    NotAfter: 19.03.2017 11:28
    Subject: CN=siu-SRVDC01-CA, DC=siu, DC=domain
    Serial: 1e0000022c707c76c0a27b315700000000022c
    Template: SubCA
    a1a8a95464c5b586da6e9b304142d59fc5a22ae0
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ----------------  Certificate AIA  ----------------
    Verified "Certificate (0)" Time: 0
      [0.0] http://wwwca/CertEnroll/srvdc02.siu.domain_siu-SRVDC02-CA.crt
    ----------------  Certificate CDP  ----------------
    Verified "Base CRL (26)" Time: 0
      [0.0] http://sharepoint.siu.no:8088/siu-SRVDC02-CA.crl
    ----------------  Base CRL CDP  ----------------
    No URLs "None" Time: 0
    ----------------  Certificate OCSP  ----------------
    No URLs "None" Time: 0
      CRL 26:
      Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
      ThisUpdate: 19.03.2015 11:10
      NextUpdate: 15.09.2015 23:30
      e2ee543a68214f9b99dda2e9f58b1ddfc34429d1
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
    NotBefore: 23.09.2011 13:00
    NotAfter: 23.09.2021 13:10
    Subject: CN=siu-SRVDC02-CA, DC=siu, DC=domain
    Serial: 60fc459ebdefa5b646a081b0c21c259d
    4ea8bb95b0038c69a83c939e8a54f892cd0b5056
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ----------------  Certificate AIA  ----------------
    No URLs "None" Time: 0
    ----------------  Certificate CDP  ----------------
    No URLs "None" Time: 0
    ----------------  Certificate OCSP  ----------------
    No URLs "None" Time: 0
  Exclude leaf cert:
    691f7e42f5c4a86d03b7225bf7303369ef6dcc7e
  Full chain:
    17e5b9477a1736c33dc0ff245e7b06de5b958c4c
  Verified Issuance Policies: None
  Verified Application Policies: All
  Cert is a CA certificate
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.
  Any clue?

  It looks like it is trying to get the CRL using LDAP. It is quite strange since no ldap entry is on the subordinate CA,
  only an HTTP address:
            <CertificateRevocationList location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?certificateRevocationList?base?objectClass=cRLDistributionPoint"
  fileRef="DEEB557897A9FEA217DF83D95BF24CA54051B1CF.crl" issuerName="siu-SRVDC02-CA" />
              <CertificateRevocationList deltaCRL="true" location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?deltaRevocationList?base?objectClass=cRLDistributionPoint" 
  I have checked that object using adsi Edit and the permissions seem ok. Also there is a value on both attributes: certificateRevocationList and deltaRevocationList.
  This problem happened after I removed the LDAP entry for the "CRL Distribution point" from the sub CA properties. Should I add back the LDAP entry?
  Log Name:      Microsoft-Windows-CAPI2/Operational
  Source:        Microsoft-Windows-CAPI2
  Date:          19.03.2015 14:42:07
  Event ID:      11
  Task Category: Build Chain
  Level:         Error
  Keywords:      Path Discovery,Path Validation
  User:          SYSTEM
  Computer:      srvdc01.siu.domain
  Description:
  For more details for this event, please refer to the "Details" section
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
      <EventID>11</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>11</Task>
      <Opcode>2</Opcode>
      <Keywords>0x4000000000000003</Keywords>
      <TimeCreated SystemTime="2015-03-19T13:42:07.481533500Z" />
      <EventRecordID>131</EventRecordID>
      <Correlation />
      <Execution ProcessID="6288" ThreadID="5472" />
      <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
      <Computer>srvdc01.siu.domain</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <UserData>
      <CertGetCertificateChain>
        <Certificate fileRef="E02AA2C59FD54241309B6EDA86B5C56454A9A8A1.cer" subjectName="siu-SRVDC01-CA" />
        <ExtendedKeyUsage />
        <Flags value="40000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" />
        <ChainEngineInfo context="machine" />
        <CertificateChain chainRef="{60B61582-1C3C-4B58-AE8C-70278ADEE402}" revocationFreshnessTime="P2DT21H13M20S">
          <TrustStatus>
            <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
            <InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
          </TrustStatus>
          <ChainElement>
            <Certificate fileRef="E02AA2C59FD54241309B6EDA86B5C56454A9A8A1.cer" subjectName="siu-SRVDC01-CA" />
            <SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
            <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
            <TrustStatus>
              <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
              <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
            </TrustStatus>
            <ApplicationUsage any="true" />
            <IssuanceUsage />
            <RevocationInfo freshnessTime="P2DT21H13M20S">
              <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
              <StrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" />
              <DeltaStrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" />
              <CertificateRevocationList location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?certificateRevocationList?base?objectClass=cRLDistributionPoint"
  fileRef="DEEB557897A9FEA217DF83D95BF24CA54051B1CF.crl" issuerName="siu-SRVDC02-CA" />
              <CertificateRevocationList deltaCRL="true" location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?deltaRevocationList?base?objectClass=cRLDistributionPoint"
  fileRef="58A2CDBC7A238DDD76EEFEDE354A04596F5AED71.crl" issuerName="siu-SRVDC02-CA" />
            </RevocationInfo>
          </ChainElement>
          <ChainElement>
            <Certificate fileRef="56500BCD92F8548A9E933CA8698C03B095BBA84E.cer" subjectName="siu-SRVDC02-CA" />
            <SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
            <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
            <TrustStatus>
              <ErrorStatus value="0" />
              <InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
            </TrustStatus>
            <ApplicationUsage any="true" />
            <IssuanceUsage any="true" />
          </ChainElement>
        </CertificateChain>
        <EventAuxInfo ProcessName="certsrv.exe" />
        <CorrelationAuxInfo TaskId="{54E4FCD3-E70A-4024-BB81-6A053EAACE21}" SeqNumber="9" />
        <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
      </CertGetCertificateChain>
    </UserData>
  </Event>

• Why do I see 'Unable to check revocation because the revocation server was offline'?

  Hi,
  In a lab we've been renewing our Subordinate Issuing CA cert fine for 3 iterations.  On the 4th renewal attempt, when I try to perform a 'Certutil -InstallCet Cert(4).crt, I receive the message 'The revocation function was unable to check revocation
  because the revocation server was offline. 0x80092013'.
  Why could I perform a renewal operation successfully up to this point but cant now?  What does this message really mean cause no servers are offline?
  Thanks for your help! SdeDot

  Thanks Paul.
  The first error I found in the registry was the DSConfigDN was incorrect due to me copying the commands from another test system. 
  We didn't specifically code a CDP or AIA on the Root cause each time we renewed the Cert on the Root, on the Sub CA we published the renewed Cert to AD and added the renewed Cert and renewed CRL to the local Root store.
  What follows is the RootCA registry.
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\FlyByNightRootCA:
  Keys:
    CSP
    EncryptionCSP
    ExitModules
    PolicyModules
  Values:
    ViewAgeMinutes           REG_DWORD = 10 (16)
    ViewIdleMinutes          REG_DWORD = 8
    CAType                   REG_DWORD = 3
      ENUM_STANDALONE_ROOTCA -- 3
    UseDS                    REG_DWORD = 0
    ForceTeletex             REG_DWORD = 12 (18)
      ENUM_TELETEX_AUTO -- 2
      ENUM_TELETEX_UTF8 -- 10 (16)
    SignedAttributes         REG_MULTI_SZ =
      0: RequesterName
    EKUOIDsForPublishExpiredCertInCRL REG_MULTI_SZ =
      0: 1.3.6.1.5.5.7.3.3 Code Signing
      1: 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing
    CommonName               REG_SZ = FlyByNightRootCA
    Enabled                  REG_DWORD = 1
    PolicyFlags              REG_DWORD = 0
    CertEnrollCompatible     REG_DWORD = 0
    CRLEditFlags             REG_DWORD = 100 (256)
      EDITF_ENABLEAKIKEYID -- 100 (256)
    CRLFlags                 REG_DWORD = 2
      CRLF_DELETE_EXPIRED_CRLS -- 2
    InterfaceFlags           REG_DWORD = 41 (65)
      IF_LOCKICERTREQUEST -- 1
      IF_NOREMOTEICERTADMINBACKUP -- 40 (64)
    EnforceX500NameLengths   REG_DWORD = 1
    SubjectTemplate          REG_MULTI_SZ =
      0: EMail
      1: CommonName
      2: OrganizationalUnit
      3: Organization
      4: Locality
      5: State
      6: DomainComponent
      7: Country
    ClockSkewMinutes         REG_DWORD = a (10)
    LogLevel                 REG_DWORD = 3
    HighSerial               REG_DWORD = 0
    CAServerName             REG_SZ = Server03
    ValidityPeriod           REG_SZ = Hours
    ValidityPeriodUnits      REG_DWORD = c (12)
    CAXchgCertHash           REG_MULTI_SZ =
    KRACertHash              REG_MULTI_SZ =
    KRACertCount             REG_DWORD = 0
    KRAFlags                 REG_DWORD = 0
    CRLPublicationURLs       REG_MULTI_SZ =
      0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
      CSURL_SERVERPUBLISH -- 1
      CSURL_SERVERPUBLISHDELTA -- 40 (64)
      1: 8:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
      CSURL_ADDTOCRLCDP -- 8
      2: 0:http://%1/CertEnroll/%3%8%9.crl
      3: 6:file://%1/CertEnroll/%3%8%9.crl
      CSURL_ADDTOCERTCDP -- 2
      CSURL_ADDTOFRESHESTCRL -- 4
    CRLPeriod                REG_SZ = Hours
    CRLPeriodUnits           REG_DWORD = c (12)
    CRLOverlapPeriod         REG_SZ = Hours
    CRLOverlapUnits          REG_DWORD = 0
    CRLDeltaPeriod           REG_SZ = Hours
    CRLDeltaPeriodUnits      REG_DWORD = 0
    CRLDeltaOverlapPeriod    REG_SZ = Minutes
    CRLDeltaOverlapUnits     REG_DWORD = 0
    CAXchgValidityPeriod     REG_SZ = Weeks
    CAXchgValidityPeriodUnits REG_DWORD = 1
    CAXchgOverlapPeriod      REG_SZ = Days
    CAXchgOverlapPeriodUnits REG_DWORD = 1
    MaxIncomingMessageSize   REG_DWORD = 10000 (65536)
    MaxIncomingAllocSize     REG_DWORD = 10000 (65536)
    CACertPublicationURLs    REG_MULTI_SZ =
      0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
      CSURL_SERVERPUBLISH -- 1
      1: 0:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
      2: 0:http://%1/CertEnroll/%1_%3%4.crt
      3: 2:file://%1/CertEnroll/%1_%3%4.crt
      CSURL_ADDTOCERTCDP -- 2
    CACertHash               REG_MULTI_SZ =
      0: e0 bb 32 b9 bf f7 43 1d 23 e2 da b6 26 10 33 d8 00 61 e6 14
      1: a8 77 c8 09 af f0 07 4c 70 51 78 80 09 26 b1 05 f5 16 e5 be
    Security                 REG_BINARY =
      Allow CA Administrator BUILTIN\Administrators
      Allow Certificate Manager BUILTIN\Administrators
      Allow Enroll Everyone
    SetupStatus              REG_DWORD = 1
      SETUP_SERVER_FLAG -- 1
    DSConfigDN               REG_SZ = CN=Configuration,DC=TestPKI,DC=Net
    AuditFilter              REG_DWORD = 7f (127)
    CRLNextPublish           REG_BINARY = 2/28/2015 4:22 AM
  CertUtil: -getreg command completed successfully.
  Thanks for your help! SdeDot

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Failed to create Subordinate CA because of unable to check revocation

  Hi all,
  I am building a subordinate CA on my domain controller with Windows Server 2012 R2 installed.
  I submitted the CSR to my root CA (running EJBCA), then I accept the CA request and generated a certificate file. I already configured my root CA to append OCSP and CRL in this generated certification.
  However, I keep receiving "revocation server was offline" error, although I passed the OCSP check with OpenSSL.
  Here's the detailed error from certutil.exe
  Any help?
  PS C:\Users\Administrator> certutil -urlfetch -verify -seconds \\tsclient\Downloads\winPDCCA.cer
  Issuer:
  C=CA
  O=ROOT
  CN=ROOT Server CA
  Name Hash(sha1): xxx
  Name Hash(md5): xxx
  Subject:
  CN=win-PDC-CA
  Name Hash(sha1): xxx
  Name Hash(md5): xxx
  Cert Serial Number: 58b8a199528589b8
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: C=CA, O=ROOT, CN=ROOT Server CA
  NotBefore: 3/5/2015 3:20 AM
  NotAfter: 3/4/2040 8:18 AM
  Subject: CN=win-PDC-CA
  Serial: 58b8a199528589b8
  Template: DomainController
  12b9512bc6cc456929f73ea1ab0b597812164e46
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (17)" Time: 0
  [0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ROOT%20Server%
  20CA,O=ROOT,C=CA
  Verified "Delta CRL (17)" Time: 0
  [0.0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20
  Server%20CA,O=ROOT,C=CA
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 0
  [0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/status/ocsp
  CRL (null):
  Issuer: C=CA, O=ROOT, CN=ROOT Server CA
  ThisUpdate: 3/5/2015 3:30 AM
  NextUpdate: 3/5/2015 3:30 PM
  xxxx
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: C=CA, O=ROOT, CN=ROOT CA
  NotBefore: 3/4/2015 8:18 AM
  NotAfter: 3/4/2040 8:18 AM
  Subject: C=CA, O=ROOT, CN=ROOT Server CA
  Serial: 198c1ca481078881
  xxxx
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (13)" Time: 0
  [0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ROOT%20CA,O=ROOT,C=CA
  Verified "Delta CRL (13)" Time: 0
  [0.0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20
  CA,O=ROOT,C=CA
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 0
  [0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/status/ocsp
  CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: C=CA, O=ROOT, CN=ROOT CA
  NotBefore: 3/4/2015 8:18 AM
  NotAfter: 3/4/2040 8:18 AM
  Subject: C=CA, O=ROOT, CN=ROOT CA
  Serial: 1def9f3b25d8ec1e
  7487db4f9ea8055ca3d095b994fafdd7bbfd0283
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  Exclude leaf cert:
  xxxx
  Full chain:
  xxxx
  Issuer: C=CA, O=ROOT, CN=ROOT Server CA
  NotBefore: 3/5/2015 3:20 AM
  NotAfter: 3/4/2040 8:18 AM
  Subject: CN=win-PDC-CA
  Serial: 58b8a199528589b8
  Template: DomainController
  xxxx
  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-214688561
  3 CRYPT_E_REVOCATION_OFFLINE)
  Revocation check skipped -- server offline
  Cert is a CA certificate
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.
  PS C:\Users\Administrator>

  The OCSP server is providing expired responses, there is something definitely wrong with the OCSP configuration. Because you are using the EJBCA OCSP server by PrimeKey, you are going to have to contact them regarding the issues with your
  configuration.
  Brian
  Hi Brian,
  I am very confused about the "expired" response... Did it means the certificate is expired or the OCSP response is expired, or something else?
  Anyway, I sniff the traffic between this Windows subordinate CA and the OCSP server when I run "certutil -url -v winPDCCA.cer" and choose it to verify OCSP.
  tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
  Capturing on 'Ethernet 1'
  -- omitted --
  Online Certificate Status Protocol
  responseStatus: successful (0)
  responseBytes
  ResponseType Id: 1.3.6.1.5.5.7.48.1.1 (id-pkix-ocsp-basic)
  BasicOCSPResponse
  tbsResponseData
  responderID: byKey (2)
  byKey: xx
  producedAt: 2015-03-06 03:14:21 (UTC)
  responses: 1 item
  SingleResponse
  certID
  hashAlgorithm (SHA-1)
  Algorithm Id: 1.3.14.3.2.26 (SHA-1)
  issuerNameHash: xx
  issuerKeyHash: xx
  serialNumber: 1384483256
  certStatus: good (0)
  good
  thisUpdate: 2015-03-06 03:14:21 (UTC)
  signatureAlgorithm (shaWithRSAEncryption)
  Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
  Padding: 0
  signature: xx...
  certs: 1 item
  Certificate (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT Server CA)
  signedCertificate
  version: v3 (2)
  serialNumber: -2130212735
  signature (shaWithRSAEncryption)
  Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
  issuer: rdnSequence (0)
  rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT CA)
  RDNSequence item: 1 item (id-at-commonName=ROOT CA)
  RelativeDistinguishedName item (id-at-commonName=ROOT CA)
  Id: 2.5.4.3 (id-at-commonName)
  DirectoryString: printableString (1)
  printableString: ROOT CA
  RDNSequence item: 1 item (id-at-organizationName=ROOT)
  RelativeDistinguishedName item (id-at-organizationName=ROOT)
  Id: 2.5.4.10 (id-at-organizationName)
  DirectoryString: printableString (1)
  printableString: ROOT
  RDNSequence item: 1 item (id-at-countryName=CA)
  RelativeDistinguishedName item (id-at-countryName=CA)
  Id: 2.5.4.6 (id-at-countryName)
  CountryName: CA
  validity
  notBefore: utcTime (0)
  utcTime: 15-03-04 11:48:18 (UTC)
  notAfter: utcTime (0)
  utcTime: 40-03-04 11:48:10 (UTC)
  subject: rdnSequence (0)
  rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT Server CA)
  RDNSequence item: 1 item (id-at-commonName=ROOT Server CA)
  RelativeDistinguishedName item (id-at-commonName=ROOT Server CA)
  Id: 2.5.4.3 (id-at-commonName)
  DirectoryString: printableString (1)
  printableString: ROOT Server CA
  RDNSequence item: 1 item (id-at-organizationName=ROOT)
  RelativeDistinguishedName item (id-at-organizationName=ROOT)
  Id: 2.5.4.10 (id-at-organizationName)
  DirectoryString: printableString (1)
  printableString: ROOT
  RDNSequence item: 1 item (id-at-countryName=CA)
  RelativeDistinguishedName item (id-at-countryName=CA)
  Id: 2.5.4.6 (id-at-countryName)
  CountryName: CA
  subjectPublicKeyInfo
  algorithm (rsaEncryption)
  Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
  Padding: 0
  subjectPublicKey: xx...
  extensions: 7 items
  Extension (id-pe-authorityInfoAccessSyntax)
  Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
  AuthorityInfoAccessSyntax: 1 item
  AccessDescription
  accessMethod: 1.3.6.1.5.5.7.48.1 (id-pkix.48.1)
  accessLocation: 6
  uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/status/ocsp
  Extension (id-ce-subjectKeyIdentifier)
  Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
  SubjectKeyIdentifier: xx
  Extension (id-ce-basicConstraints)
  Extension Id: 2.5.29.19 (id-ce-basicConstraints)
  critical: True
  BasicConstraintsSyntax
  cA: True
  Extension (id-ce-authorityKeyIdentifier)
  Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
  AuthorityKeyIdentifier
  keyIdentifier: xx
  Extension (id-ce-freshestCRL)
  Extension Id: 2.5.29.46 (id-ce-freshestCRL)
  CRLDistPointsSyntax: 1 item
  DistributionPoint
  distributionPoint: fullName (0)
  fullName: 1 item
  GeneralName: uniformResourceIdentifier (6)
  uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20CA,O=ROOT,C=CA
  Extension (id-ce-cRLDistributionPoints)
  Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
  CRLDistPointsSyntax: 1 item
  DistributionPoint
  distributionPoint: fullName (0)
  fullName: 1 item
  GeneralName: uniformResourceIdentifier (6)
  uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=Whitebear%20Home%20CA,O=Whitebear%20Home,C=CA
  cRLIssuer: 1 item
  GeneralName: directoryName (4)
  directoryName: rdnSequence (0)
  rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT CA)
  RDNSequence item: 1 item (id-at-commonName=ROOT CA)
  RelativeDistinguishedName item (id-at-commonName=ROOT CA)
  Id: 2.5.4.3 (id-at-commonName)
  DirectoryString: uTF8String (4)
  uTF8String: ROOT CA
  RDNSequence item: 1 item (id-at-organizationName=ROOT)
  RelativeDistinguishedName item (id-at-organizationName=ROOT)
  Id: 2.5.4.10 (id-at-organizationName)
  DirectoryString: uTF8String (4)
  uTF8String: ROOT
  RDNSequence item: 1 item (id-at-countryName=CA)
  RelativeDistinguishedName item (id-at-countryName=CA)
  Id: 2.5.4.6 (id-at-countryName)
  CountryName: CA
  Extension (id-ce-keyUsage)
  Extension Id: 2.5.29.15 (id-ce-keyUsage)
  critical: True
  Padding: 1
  KeyUsage: 86 (digitalSignature, keyCertSign, cRLSign)
  1... .... = digitalSignature: True
  .0.. .... = contentCommitment: False
  ..0. .... = keyEncipherment: False
  ...0 .... = dataEncipherment: False
  .... 0... = keyAgreement: False
  .... .1.. = keyCertSign: True
  .... ..1. = cRLSign: True
  .... ...0 = encipherOnly: False
  0... .... = decipherOnly: False
  algorithmIdentifier (shaWithRSAEncryption)
  Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
  Padding: 0
  encrypted: 3f209f1ce8bfc017b1b4c889370b0a49e284dd9895672f4b...
  1 ^C
  Based on the response, it seems that the OCSP server did return "good", "successful" in response. This is also verified with OpenSSL ocsp verification command:
  openssl ocsp -url http://ca.xxx.com:8080/ejbca/publicweb/status/ocsp -issuer ROOTServerCA.pem -cert winPDCCA.cer -CAfile ROOTCA.pem
  Response verify OK
  winPDCCA.cer: good
  This Update: Mar 6 03:21:44 2015 GMTopenssl ocsp -url http://ca.xxx.com:8080/ejbca/publicweb/status/ocsp -issuer ROOTCA.pem  -cert ROOTServerCA.pem -CAfile ROOTCA.pem
  Response verify OK
  ROOTServerCA.pem: good
      This Update: Mar  6 03:23:29 2015 GMT

• Windows 8.1 update added a recovery partition now the recovery function won't work.

  After the latest 8.1 update, an extra recovery partition as added to the C: drive.  A few other things got messed up so i decided to reset to factory original.  To my surprise the HP Recovery Tools no longer work.  If I hit F11 I get a 0xC0000225 error where the device isn't avaialble.  I can see the recovery partition with the WINRE partition but I think the computer doesn't know where the partition is.  I'm on an DV6-7211 with Windows 8.1 update.  Anyway to tell the F11 function where the WINRE drive is?  Since HP didn't seem fit to give me recovery media in my box I have no way to revert back to factory original.  SInce there is a liscense for Windows 8 included, I don't feel like spending the money to buy a new operting system.  Recovery media is way too expesive.

  You might try making a Recovery set with the software included on your machine-though it may not work now either. Creating Recovery Media >> Windows 8
  ******Clicking the Thumbs-Up button is a way to say -Thanks!.******
  **Click Accept as Solution on a Reply that solves your issue to help others**

• Is it possible to make a shortcut key to would do the "paste" function?

  The hard part is that I want to paste in another program, like if I open a notepad, I can just click a botton in a java program, a string would have been saved in the clipboard, and then just press a shortcut key would paste the string on the notepad.
  I am making this for a senior people group so they would not need to right click and then paste, or use "ctrl+v" to do so, I have done the click a botton and then save in a string part, but still haven't figured out is it even possible to have a shortcut key then just paste on another program like notepad.
  Thanks for your help!

  It is hard to senior people to press that "ctrl+v", is it possible to somehow use another key to have the "paste" function? Basically transfer the "ctrl+v" keystrokes to another keystroke...

• When downloading a file, I select "Save File", but I'm unable to check the box label "Do this automatically for files like this from now on." The box is faded out. It's very tedious when you have to select "Save File" everytime

  Click on the file to download
  The "Open" Dialog Box pops up
  Select "Save File"
  Try to click on the box labeled ""Do this automatically for files like this from now on."
  The box is disable

  Hello melanie90, see : [https://support.mozilla.org/en-US/kb/change-firefox-behavior-when-open-file#w_changing-download-actions Changing download actions]
  thank you

• Adding a CM: Invalid length parameter passed to the RIGHT function. (CINF)

  We started seeing this error message a week ago when attempting to add a Credit Memo.  We only see this error message when entering Credit Memos and not any other finacial documents.  I've done some preliminary research and haven't really come up with anything to point to the issue.  Prior to reporting this to my support partner, I wanted to see if anybody here has seen this before or give me some ideas to look into the source of the issue.
  Full error message: Microsoft SQL Native Client SQL Server Invalid length parameter passed to the RIGHT function. (CINF)

  Checking the list of form ID's at [http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/892] shows the A/R Credit Memo as 179 and the A/P Credit Memo as 181.  This also corresponds with what I see when viewing the system information on the form.

• How can I sum up raws? the sum function seems to work for columns only and right now I have to create a separate formula for each raw

  How can I sum up raws? the Sum function seems to work only on columns. Right now I have to create a separate formula for each raw

  Hi dah,
  "Thanks, but can I do one formula for all present and future raws? as raws are being added, I have to do the sum function again and again"
  You do need a separate formula for each group of values to be summed.
  If the values are in columns, you need a copy of the formula for each column.
  If the values are in rows, you need a copy of the formula for for each row.
  If you set up your formulas as SGIII did in his example (shown below), where every non-header row has the same formula, Numbers will automtically add the formula to new rows as you add them.
  "Same formula" in this context means exactly the same as all the formulas above, with one exception: the row reference in each formula is incremented (by Numbers) to match the row containing the formula.
  Here the formula looks like this in the three rows shown.
  B2: =SUM(2)
  B3: =SUM(3)
  B4: =SUM(4)
  That pattern will continue as rows are added to the table.
  Also, because the row token (2) references all of the non-header cells in row 2, the formula will automatically include new columns as they are added to the table.
  Regards,
  Barry

• How to see the mapping functions assigned...

  Consider someone has done the mapping with some userdefined functions and some node functions,etc...
  now...i want to see the mapping used...i mean what is the userdefined function used ..or what is the node function used.....how to check that....I even cheked the depencies option..but it shows only arrowmark to the target field...
  Can someone help me in that.....

  Hi, First of all, you should get the name of function used in Message Mapping.
  If the function name is among the standard function (you can check all the catagory of the standard function by choose value from drop down list of bottom of the data flow editor)
  then your function used is standard function, eg. node funtions include "exist" "RemoveContext" etc...
  Otherwise the function used must be user define function, from the same drop down list I mentioned above, you can choose "User Defined Function", then you will see the user defined functions used by current message mapping.
  Hope this clear your doubt.
  Liang