我有两个二进制文件,一个在第一个之后大约4天构建,并使用相同的证书(相同的序列号,由Thawte发布)签名,但是,当我检查证书时,在一个上有错误消息Revocation Status : The revocation function was unable to check revocation because the revocation server was offline.
,第二个效果很好。是否有可能,撤销服务器在签名时处于脱机状态,这会导致此问题?我不确定一个证书如何有不同的撤销服务器。
我想到的另一个想法是,第二个是在证书到期前几天(<月)签署的。可能是这种情况吗?
答案 0 :(得分:1)
证书的格式是什么?如果您可以使用合适的格式,则可以使用“openssl”命令行unix工具来调查证书。 Openssl也适用于Windows。
这是一个示例运行:
openssl x509 -in usertrust.pem -inform PEM -noout -text
这是输出:
Version: 3 (0x2)
Serial Number:
07:74:8d:73:00:00:00:00:00:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network
Validity
Not Before: Apr 5 18:35:06 2005 GMT
Not After : Mar 6 03:22:04 2007 GMT
Subject:C=US, ST=UT, L=Salt Lake City, O=USERTRUST, CN=www.usertrust.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d7:21:6d:f8:58:e7:ed:52:5a:3e:fe:e5:bf:92:
32:41:38:f1:ee:61:6f:da:6c:83:39:c8:b4:b1:fd:
77:4a:35:a8:e8:3f:0b:bf:ff:2d:0b:b5:ed:56:80:
d7:ca:89:c3:63:8b:a5:06:ed:b0:22:82:8d:a1:c6:
ed:c8:d4:06:8d:be:d1:69:83:31:a7:13:2b:17:27:
72:a4:85:97:55:fc:f7:ca:eb:c9:af:be:19:78:67:
35:d1:7f:af:2d:3c:d3:86:c4:1e:fd:02:e4:ab:10:
ea:d1:bb:63:19:fb:9a:61:ed:30:7e:88:0e:1a:1e:
a7:a6:d5:8d:02:20:af:be:b0:0e:f5:30:44:e0:d5:
b9:ab:b1:76:65:94:03:fc:c8:55:80:6d:a8:fa:b1:
94:38:be:e2:78:45:8d:b5:7e:cf:e7:de:a1:09:46:
a3:8b:ab:76:50:85:50:5d:58:91:78:21:a3:a2:dd:
1d:c3:dc:0b:18:9d:fc:84:b2:17:f8:a7:48:e5:aa:
c1:d3:43:83:49:ea:35:5f:e1:28:6c:33:a9:2f:ac:
62:22:1d:6f:44:94:bb:09:be:7d:fd:c5:e4:fc:ff:
92:4c:63:97:56:53:fe:77:5c:53:5b:ae:ab:7d:8b:
af:74:ac:ea:30:80:b1:6e:08:57:85:01:7d:b4:3d:
26:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
A0:3C:DC:84:FF:51:06:AC:C6:CB:21:EB:CB:05:07:D7:10:C2:68:E6
X509v3 Authority Key Identifier:
keyid:75:01:28:97:C6:46:1B:34:6E:E8:A0:91:15:71:92:79:EE:B7:03:CE
serial:15:6C:27:1A:54:FE:B3:82:BE:AF:54:FE:F4:A2:8B
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
X509v3 Certificate Policies:
Policy: 1.2.840.114015.1.1
CPS: http://www.usertrust.com/CPS
User Notice: Explicit Text: ...
Signature Algorithm: sha1WithRSAEncryption
cf:66:95:18:8b:a3:73:e7:04:a8:fa:16:f3:62:60:4a:26:f1:
b5:37:b3:cd:7a:d4:9d:63:3f:a1:ee:52:30:29:9e:7a:b2:e7:
ba:a0:f9:bf:4f:95:63:63:bb:a9:cf:c5:b9:18:bd:6a:e5:82:
cd:3a:bf:37:ea:9c:57:bc:d8:20:d8:be:1a:8c:f5:00:9e:ad:
c4:66:d3:60:92:dd:22:66:61:88:49:0c:05:72:05:03:9d:82:
78:2f:9e:9c:f3:8b:d7:96:b7:8b:4b:6c:40:0f:7a:cb:f9:77:
88:13:f7:74:f0:e7:31:2e:94:81:b9:d4:0a:7c:d1:1d:f3:8b:
4c:e7:ae:21:12:40:f9:6a:1f:7d:a8:96:dc:90:11:6a:44:d7:
fc:f5:98:a3:5b:bc:4f:51:ab:db:84:64:ad:69:e6:82:bd:d9:
65:7a:44:43:65:8b:69:a7:01:8c:94:0d:4b:c3:be:29:ef:81:
a9:80:0c:33:46:d7:37:be:4c:9a:e0:bb:3f:15:9e:dd:ef:f4:
7f:70:e9:0b:5f:e3:18:a7:a4:80:8b:e1:ac:1c:46:33:e7:90:
02:11:43:61:15:4e:97:ea:c2:24:84:58:31:a8:37:b4:84:bf:
c0:70:a0:95:f9:64:c9:d2:94:86:5c:21:5d:51:b3:c6:b0:f4:
02:cb:77:24
特别注意这些:
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
这些是CRL(针对此特定证书),您可以使用常规浏览器访问它们以查看问题所在!注意:有些证书使用OCSP进行撤销,因此请在输出中查找OCSP和CRL。
答案 1 :(得分:0)
首先,您应该查看有关如何验证签名二进制文件here的MSDN文档。错误响应将提供更多信息。
这个blogger has a workaround,如果您的revokation服务器出现自己的密钥问题,您将知道它是否已被撤销:)。此外,由于此密钥已过期,因此配置此设置可能不是什么大问题。
如果您发布了详细的错误代码,我可以多看一下,但这对您现在应该有用。
答案 2 :(得分:0)
证书签名不依赖于检查证书撤销,只有验证。当您验证证书时,这听起来像是一个临时的网络故障。这个问题可以重复吗?