我们遇到以下问题,有人可以帮忙吗?
在某些PC上,当用户访问我公司CA签名的网站时,IE会显示不受信任的证书页面。 但是已经在IE Trust Root中导入的证书取消选中“检查服务器证书吊销”,然后没有警告页面。
要使用certutil验证证书,请输出以下信息。
certutil -verify -urlfetch test.cert
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10a dwErrorStatus=20
Issuer: O=MyCompany Root CA, C=US
Subject: O=MyCompany Root CA, C=US
Serial:
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
319.1862.0: 0x8007006e (WIN32: 110): ldap:///CN=CRL1, O=MyCompany Root CA, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary
319.1862.0: 0x8007003a (WIN32: 58): ldap://dc.mycompany.com/o=mycompany%20CA1,c=US?certificateRevocationList;binary
Failed "CDP" Time: 0
Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32: 110)
ldap:///CN=CRL1, O=MyCompany Root CA, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary
Failed "CDP" Time: 0
Error retrieving URL: The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)
ldap://dc.mycompany.com/o=mycompany%20CA1,c=US?certificateRevocationList;binary
Verified "Base CRL (2419)" Time: 1
[2.0] http://dc.mycompany.com/CombinedCDP/CRL.crl"
答案 0 :(得分:0)
我遇到了同样的问题。在本地计算机上安装根证书>受信任的根证书颁发机构解决了我的问题。 在当前用户中安装根证书>不需要受信任的根证书颁发机构。