0

在执行证书验证时,certutil.exe 连接到不同的外部资源。该实用程序在 CERT_CHAIN_POLICY_BASE 步骤、endentity 甚至根证书上冻结 5-10 秒。它如何被禁用,为什么会发生?我从没有此类问题的另一台服务器复制了 certutil.exe,比较了哈希,启动但相同。

命令:certutil.exe -verify GlobalSign_root.cer

操作系统:Microsoft Windows Server 2016 Standard 10.0.14393 N/A Build 14393

它连接的外部资源:

  • a95-101-142-11.deploy.static.akamaitechnologies.com:http
  • map2.hwcdn.net:http
  • 80-239-217-59.customer.teliacarrier.com:http
  • 其他

Procmon64.exe.exe 显示谁连接:certutil.exe

命令输出:

C:\Temp\certs>certutil -verify GlobalSign.cer
Issuer:
    CN=GlobalSign
    O=GlobalSign
    OU=GlobalSign Root CA - R3
  Name Hash(sha1): f59c687f2418d62a790f7592330756ea85e94707
  Name Hash(md5): 01728e1ecf7a9d86fb3cec8948aba953
Subject:
    CN=GlobalSign
    O=GlobalSign
    OU=GlobalSign Root CA - R3
  Name Hash(sha1): f59c687f2418d62a790f7592330756ea85e94707
  Name Hash(md5): 01728e1ecf7a9d86fb3cec8948aba953
Cert Serial Number: 04000000000121585308a2

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  NotBefore: 3/18/2009 3:00 AM
  NotAfter: 3/18/2029 3:00 AM
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Serial: 04000000000121585308a2
  Cert: d69b561148f01c77c54578c10926df5b856976ad
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
  Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
  Application[7] = 1.3.6.1.5.5.7.3.7 IP security user

Exclude leaf cert:
  Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
  Chain: d69b561148f01c77c54578c10926df5b856976ad
------------------------------------
Verified Issuance Policies: All
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.3 Code Signing
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.5.5.7.3.8 Time Stamping
    1.3.6.1.4.1.311.10.3.4 Encrypting File System
    1.3.6.1.5.5.7.3.6 IP security tunnel termination
    1.3.6.1.5.5.7.3.7 IP security user
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

C:\Temp\certs>

它也通过了身份证书,但仍然建立了外部连接。

....
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully
4

1 回答 1

1

如果您禁用网络通信(例如,无法联系非主机文件 DNS),输出是否不同?

从没有此类问题的另一台服务器复制 certutil.exe,比较哈希,启动但相同。

你能澄清一下吗?您的意思是您从不同的服务器复制了 certutil.exe 的替代版本并且没有看到相同的行为?

如果是这样,则在您正在运行的 Windows Server 2016 的确切版本中存在 certutil.exe 的记录问题,如下所述:

在这种情况下,错误是未能枚举或验证颁发 CA 强制执行的证书策略,但由于 Microsoft 建议:

从 Windows Server 2012 R2、Windows Server 2019 或 Windows 10 计算机上的 System32 文件夹复制 certutil(以及随附的 certutil.exe.mui)文件。将您要检查的文件和证书文件放在一个单独的文件夹中,然后从那里运行它。

...您可能希望在其他版本的 Windows Server 或其他版本的 certutil 上验证行为。

于 2021-05-07T20:40:24.010 回答