Thursday, September 29, 2022

How to verify the certificate chain via Windows

Sometimes it is needed to verify a certificate chain. This can be done very easy with the certutil.

To do that download/export at first the certificate and place at on your local hard disk. We use use here the certificate from https://www.google.de. If you have done that open a CMD box and run the following command (adjust the folder and filename if needed):

certutil -f -urlfetch -verify C:\temp\www.google.de.crt

and you got a similar result like this one here:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\adminenclave>certutil -f -urlfetch -verify C:\temp\www.google.de.crt
Issuer:
CN=Google Internet Authority
O=Google Inc
C=US
Subject:
CN=www.google.de
O=Google Inc
L=Mountain View
S=California
C=US
Cert Serial Number: 2ffc6a42000000006b55

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Google Internet Authority, O=Google Inc, C=US
NotBefore: 10.10.2012 19:13
NotAfter: 07.06.2013 21:43
Subject: CN=www.google.de, O=Google Inc, L=Mountain View, S=California, C=US
Serial: 2ffc6a42000000006b55
SubjectAltName: DNS Name=www.google.de
f9 e1 65 66 c1 af a3 a5 94 4b 9c 93 e1 80 00 91 ac 82 32 ab
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority
.crt

---------------- Certificate CDP ----------------
Verified "Base CRL (013a)" Time: 0
[0.0] http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority
.crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0137:
Issuer: CN=Google Internet Authority, O=Google Inc, C=US
73 08 39 25 6a 7c 40 c0 a3 21 2e 66 aa 59 e0 4e 16 26 84 b8
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
NotBefore: 08.06.2009 22:43
NotAfter: 07.06.2013 21:43
Subject: CN=Google Internet Authority, O=Google Inc, C=US
Serial: 0b6771
dd 7a 7f 13 1d db a3 3d 3e 86 70 17 94 83 e6 fe a6 98 7d 6a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0
[0.0] http://crl.geotrust.com/crls/secureca.crl

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL (null):
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
81 0b 00 58 1f 86 7c 16 75 71 48 29 07 97 4f da c7 7a 52 78
Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
NotBefore: 22.08.1998 18:41
NotAfter: 22.08.2018 18:41
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Serial: 35def4cf
d2 32 09 ad 23 d3 14 23 21 74 e4 0d 7f 9d 62 13 97 86 63 3a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x80
07052e (WIN32: 1326)
ldap:///CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US?ce
rtificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationLis
t;binary

---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
c9 55 8d 60 10 7b 30 7a 6e 00 f7 47 f1 2e ce f1 96 da c4 90
Full chain:
85 bf 47 43 a6 99 12 37 4c 31 d6 1e 18 4f b6 74 4d 34 31 ab
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.

CertUtil: -verify command completed successfully.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

23FollowersFollow
- Advertisement -

Latest Articles