16
12
25
 Leave a comment

Installing LDAPS certificate on Windows 10

Posted by | Windows | Tagged , , |

I realized that my LDAPS certificate is not trusted with the following command in PowerShell:

certutil -verify ldap.crt

Issuer:
    CN=my-MYSERVER-CA
    DC=my
    DC=local
  Name Hash(sha1): c3990ff3ea9a04a01dbfd9a7fcce3f0404376127
  Name Hash(md5): a7bef1a74e04856f45228c2da016979b
Subject:
    CN=myserver.my.local
  Name Hash(sha1): 3737acff09d36f6dfd12105428f96322027804ab
  Name Hash(md5): dc0886286b3130db4cef78f40e277926
Cert Serial Number: 750000000212089946907c8e3b000000000002

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 4:28 PM
  NotAfter: 9/30/2027 4:38 PM
  Subject: CN=myserver.my.local
  Serial: 750000000212089946907c8e3b000000000002
  SubjectAltName: Other Name:Principal Name=MYSERVER$@my.local, DNS Name=myserver.my.local, DNS Name=my.local, DNS Name=MY
  Template: 1.3.6.1.4.1.311.21.8.2394105.11159506.2182327.8431295.4887454.220.11906748.479500
  Cert: 9550648a5a11d190bd694413d278a3667e76f5b4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  Application[0] = 1.3.6.1.5.2.3.5 KDC Authentication
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication

Exclude leaf cert:
  Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
  Chain: 9550648a5a11d190bd694413d278a3667e76f5b4
Missing Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 4:28 PM
  NotAfter: 9/30/2027 4:38 PM
  Subject: CN=myserver.my.local
  Serial: 750000000212089946907c8e3b000000000002
  SubjectAltName: Other Name:Principal Name=MYSERVER$@my.local, DNS Name=myserver.my.local, DNS Name=my.local, DNS Name=MY
  Template: 1.3.6.1.4.1.311.21.8.2394105.11159506.2182327.8431295.4887454.220.11906748.479500
  Cert: 9550648a5a11d190bd694413d278a3667e76f5b4
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    CN=my-MYSERVER-CA, DC=my, DC=local

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

I installed ca_root.crt and got this:

Issuer:
    CN=my-MYSERVER-CA
    DC=my
    DC=local
  Name Hash(sha1): c3990ff3ea9a04a01dbfd9a7fcce3f0404376127
  Name Hash(md5): a7bef1a74e04856f45228c2da016979b
Subject:
    CN=myserver.my.local
  Name Hash(sha1): 3737acff09d36f6dfd12105428f96322027804ab
  Name Hash(md5): dc0886286b3130db4cef78f40e277926
Cert Serial Number: 750000000212089946907c8e3b000000000002

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 4:28 PM
  NotAfter: 9/30/2027 4:38 PM
  Subject: CN=myserver.my.local
  Serial: 750000000212089946907c8e3b000000000002
  SubjectAltName: Other Name:Principal Name=MYSERVER$@my.local, DNS Name=myserver.my.local, DNS Name=my.local, DNS Name=MY
  Template: 1.3.6.1.4.1.311.21.8.2394105.11159506.2182327.8431295.4887454.220.11906748.479500
  Cert: 9550648a5a11d190bd694413d278a3667e76f5b4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  Application[0] = 1.3.6.1.5.2.3.5 KDC Authentication
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 3:48 PM
  NotAfter: 9/30/2030 3:58 PM
  Subject: CN=my-MYSERVER-CA, DC=my, DC=local
  Serial: 5e7f2e014dfde08f4b41a87023fd2402
  Cert: 1900ec14e427473a9dcc132b42d33fb0cabe8d5d
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert:
  Chain: 9550648a5a11d190bd694413d278a3667e76f5b4
Full chain:
  Chain: ce99f0f017d24b9d0a70a934ac9701789b338965
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 4:28 PM
  NotAfter: 9/30/2027 4:38 PM
  Subject: CN=myserver.my.local
  Serial: 750000000212089946907c8e3b000000000002
  SubjectAltName: Other Name:Principal Name=MYSERVER$@my.local, DNS Name=myserver.my.local, DNS Name=my.local, DNS Name=MY
  Template: 1.3.6.1.4.1.311.21.8.2394105.11159506.2182327.8431295.4887454.220.11906748.479500
  Cert: 9550648a5a11d190bd694413d278a3667e76f5b4
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

I added root certificated:

PS C:\dev\work\ssl\new> certutil -addstore -f Root my-MYSERVER-CA.cer
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "my-MYSERVER-CA" added to store.
CertUtil: -addstore command completed successfully.
PS C:\dev\work\ssl\new> certutil -store Root | findstr /i my-MYSERVER-CA
Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
Subject: CN=my-MYSERVER-CA, DC=my, DC=local
  Simple container name: my-MYSERVER-CA

and got this:

PS C:\dev\work\ssl> certutil -verify ldap.crt
Issuer:
    CN=my-MYSERVER-CA
    DC=my
    DC=local
  Name Hash(sha1): c3990ff3ea9a04a01dbfd9a7fcce3f0404376127
  Name Hash(md5): a7bef1a74e04856f45228c2da016979b
Subject:
    CN=myserver.my.local
  Name Hash(sha1): 3737acff09d36f6dfd12105428f96322027804ab
  Name Hash(md5): dc0886286b3130db4cef78f40e277926
Cert Serial Number: 750000000212089946907c8e3b000000000002

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 4:28 PM
  NotAfter: 9/30/2027 4:38 PM
  Subject: CN=myserver.my.local
  Serial: 750000000212089946907c8e3b000000000002
  SubjectAltName: Other Name:Principal Name=MYSERVER$@my.local, DNS Name=myserver.my.local, DNS Name=my.local, DNS Name=MY
  Template: 1.3.6.1.4.1.311.21.8.2394105.11159506.2182327.8431295.4887454.220.11906748.479500
  Cert: 9550648a5a11d190bd694413d278a3667e76f5b4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  Application[0] = 1.3.6.1.5.2.3.5 KDC Authentication
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 3:48 PM
  NotAfter: 9/30/2030 3:58 PM
  Subject: CN=my-MYSERVER-CA, DC=my, DC=local
  Serial: 5e7f2e014dfde08f4b41a87023fd2402
  Cert: 1900ec14e427473a9dcc132b42d33fb0cabe8d5d
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  Chain: 9550648a5a11d190bd694413d278a3667e76f5b4
Full chain:
  Chain: ce99f0f017d24b9d0a70a934ac9701789b338965
  Issuer: CN=my-MYSERVER-CA, DC=my, DC=local
  NotBefore: 9/30/2025 4:28 PM
  NotAfter: 9/30/2027 4:38 PM
  Subject: CN=myserver.my.local
  Serial: 750000000212089946907c8e3b000000000002
  SubjectAltName: Other Name:Principal Name=MYSERVER$@my.local, DNS Name=myserver.my.local, DNS Name=my.local, DNS Name=MY
  Template: 1.3.6.1.4.1.311.21.8.2394105.11159506.2182327.8431295.4887454.220.11906748.479500
  Cert: 9550648a5a11d190bd694413d278a3667e76f5b4
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

With openssl on MinGW I got this:

$ openssl s_client   -connect myserver.my.local:636   -servername myserver.my.local   -verify_hostname myserver.my.local
Connecting to 192.168.0.123
CONNECTED(000001A8)
depth=0 CN=myserver.my.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=myserver.my.local
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=myserver.my.local
verify return:1
---
Certificate chain
 0 s:CN=myserver.my.local
   i:DC=local, DC=my, CN=my-MYSERVER-CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 30 13:28:52 2025 GMT; NotAfter: Sep 30 13:38:52 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF1TCCBL2gAwIBAgITdQAAAAISCJlGkHyOOwAAAAAAAjANBgkqhkiG9w0BAQsF
ADBEMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEjAQBgoJkiaJk/IsZAEZFgJteTEX
MBUGA1UEAxMObXktTVlTRVJWRVItQ0EwHhcNMjUwOTMwMTMyODUyWhcNMjcwOTMw
MTMzODUyWjAcMRowGAYDVQQDExFteXNlcnZlci5teS5sb2NhbDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMMOreFCvm01FMjjIGz0NYDU3NHsxbKBPOLy
y4p/Y9lpx6+zKM+XXVFb99ItPEfK4LzNlRJLY7IObAXtNQf36nu/96uvk0XaSj5p
mHPF4pMxn4oeDZh83PkJY8rysHeOqrNhXI5gKjmo9MVq8daQLd1D9kXSm9Un4Ksc
yLMxiGHlfvpEumz1+/MZwy+Gv1Kyf8HiBH5Y2RtsBF+NE0Ee6Wcykgo8M5reUx0U
CUrQ7O/qX+q1JmPZvb681XlOJIDw/QMpRwqLvdM5zQILILS3y2aHraDrPHQIhrdY
zTVB0jOlVk+MvMqdhpRg/iHsxMiBeRKBeyMIKCKWkWkdzmIXGeUCAwEAAaOCAuYw
ggLiMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIGSj3mFqY9SgYWZN4SCzT+C
qqcegVyF1t08naIMAgFkAgEBMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcU
AgIGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGC
NxUKBDMwMTAJBgcrBgEFAgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYI
KwYBBQUHAwIwHQYDVR0OBBYEFEcboXhmLtccmIYb1B+udwOM8D2CMB8GA1UdIwQY
MBaAFFwDt724fF3vG3TYbJx8cTHinn0uMIHKBgNVHR8EgcIwgb8wgbyggbmggbaG
gbNsZGFwOi8vL0NOPW15LU1ZU0VSVkVSLUNBLENOPW15c2VydmVyLENOPUNEUCxD
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
cmF0aW9uLERDPW15LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/
YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUH
AQEEgbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1teS1NWVNFUlZFUi1D
QSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
Q049Q29uZmlndXJhdGlvbixEQz1teSxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jh
c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBOBgNVHREERzBF
oCIGCisGAQQBgjcUAgOgFAwSTVlTRVJWRVIkQG15LmxvY2FsghFteXNlcnZlci5t
eS5sb2NhbIIIbXkubG9jYWyCAk1ZMA0GCSqGSIb3DQEBCwUAA4IBAQBGUA2hNQgK
oIP52JOGOFfx2zeeaRNYyOC7UtU0WWrxrgUHaOSA4bhhqBadiXGqqJTObssz3rdT
G6Gj5O5neTw4dbIsc82lx4+4QiIVKK08iaa6Z3JbZAvQuaymInfaDtKXgkh5hFrw
jANwg7NfsOim53qbdyuvye2GDXQYjuvhoMN17cU0IfDmjN9ceMNou/PVYjsJkFU5
YMOsjQfR89BrfBfGfIrrbEYPdUcZr4RnQRQFnnakeWZkldY/+aV3CVWuA2bXMgcu
PV870M91hYhK429+OaCo9v8HIDcZ0BgCsVPhVqZjy3zkkkiZ1vK8JqGjzsAKVvwN
Mcb9+/y/D5kY
-----END CERTIFICATE-----
subject=CN=myserver.my.local
issuer=DC=local, DC=my, CN=my-MYSERVER-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 2047 bytes and written 502 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2011000077DDB589038C7340D0DE20ABFEC78DF57ED7A8BA832FA30090ACADEF
    Session-ID-ctx:
    Master-Key: A3A183D5BDE61F59D504C128C19179BB8882AFBA8FEDA6B5C038F3076FBD1A2376FC7BAE6063656EC8E9299ED4E04910
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1765883332
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---

but was able to connect to DC via ldp.exe:

Leave a Reply

Your email address will not be published. Required fields are marked *