Sometimes it is needed to verify a certificate chain. This can be done very easy with the certutil.

To do that download/export at first the certificate and place at on your local hard disk. We use use here the certificate from https://www.google.de. If you have done that open a CMD box and run the following command (adjust the folder and filename if needed):

certutil -f -urlfetch -verify C:\temp\www.google.de.crt

and you got a similar result like this one here:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\adminenclave>certutil -f -urlfetch -verify C:\temp\www.google.de.crt
Issuer:
CN=Google Internet Authority
O=Google Inc
C=US
Subject:
CN=www.google.de
O=Google Inc
L=Mountain View
S=California
C=US
Cert Serial Number: 2ffc6a42000000006b55

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Google Internet Authority, O=Google Inc, C=US
NotBefore: 10.10.2012 19:13
NotAfter: 07.06.2013 21:43
Subject: CN=www.google.de, O=Google Inc, L=Mountain View, S=California, C=US
Serial: 2ffc6a42000000006b55
SubjectAltName: DNS Name=www.google.de
f9 e1 65 66 c1 af a3 a5 94 4b 9c 93 e1 80 00 91 ac 82 32 ab
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority
.crt

---------------- Certificate CDP ----------------
Verified "Base CRL (013a)" Time: 0
[0.0] http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority
.crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0137:
Issuer: CN=Google Internet Authority, O=Google Inc, C=US
73 08 39 25 6a 7c 40 c0 a3 21 2e 66 aa 59 e0 4e 16 26 84 b8
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
NotBefore: 08.06.2009 22:43
NotAfter: 07.06.2013 21:43
Subject: CN=Google Internet Authority, O=Google Inc, C=US
Serial: 0b6771
dd 7a 7f 13 1d db a3 3d 3e 86 70 17 94 83 e6 fe a6 98 7d 6a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0
[0.0] http://crl.geotrust.com/crls/secureca.crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL (null):
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
81 0b 00 58 1f 86 7c 16 75 71 48 29 07 97 4f da c7 7a 52 78
Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
NotBefore: 22.08.1998 18:41
NotAfter: 22.08.2018 18:41
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Serial: 35def4cf
d2 32 09 ad 23 d3 14 23 21 74 e4 0d 7f 9d 62 13 97 86 63 3a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x80
07052e (WIN32: 1326)
ldap:///CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US?ce
rtificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationLis
t;binary

---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
c9 55 8d 60 10 7b 30 7a 6e 00 f7 47 f1 2e ce f1 96 da c4 90
Full chain:
85 bf 47 43 a6 99 12 37 4c 31 d6 1e 18 4f b6 74 4d 34 31 ab
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.

CertUtil: -verify command completed successfully.

Leave your comments

Post comment as a guest

0

Comments(2)

    • Guest - Charles

      My problem is the opposite. I revoked the certificate, but no matter what I do, certutil always validates the certificate. And the software I'm working with also validates the certificate. The CRL distribution points are set correctly and I can look at the CRL URLs via certutil -URL or in the certification authorities or server manager, and in the list of revoked certificates, the serial number for the cert in question is listed there. But it won't ever show as revoked by certutil. Any idea what would cause this?

    • Guest - Bastian W.

      Guest - Charles

      Is that certificate from your internal CA created? If that is the case the CRL might not be up to date. What is the date from it?