Certificate Certutil.exe连接到外部资源
执行证书验证时,certutil.exe连接到不同的外部资源。 UTI在step CERT_CHAIN_POLICY_BASE、endentity甚至根证书上冻结5-10秒。 它是如何被禁用的,为什么会发生这种情况? 我从另一台服务器上复制了certutil.exe,与哈希值相比,该服务器上没有此类问题,但启动的是相同的 命令:Certificate Certutil.exe连接到外部资源,certificate,x509,certutil,Certificate,X509,Certutil,执行证书验证时,certutil.exe连接到不同的外部资源。 UTI在step CERT_CHAIN_POLICY_BASE、endentity甚至根证书上冻结5-10秒。 它是如何被禁用的,为什么会发生这种情况? 我从另一台服务器上复制了certutil.exe,与哈希值相比,该服务器上没有此类问题,但启动的是相同的 命令:certutil.exe-验证GlobalSign\u root.cer 操作系统:Microsoft Windows Server 2016标准10.0.14393不适
certutil.exe-验证GlobalSign\u root.cer
操作系统:Microsoft Windows Server 2016标准10.0.14393不适用构建14393
它连接的外部资源:
- a95-101-142-11.deploy.static.akamaitechnologies.com:http
- net:http
- 80-239-217-59.customer.teliacarrier.com:http
- 其他
C:\Temp\certs>certutil -verify GlobalSign.cer
Issuer:
CN=GlobalSign
O=GlobalSign
OU=GlobalSign Root CA - R3
Name Hash(sha1): f59c687f2418d62a790f7592330756ea85e94707
Name Hash(md5): 01728e1ecf7a9d86fb3cec8948aba953
Subject:
CN=GlobalSign
O=GlobalSign
OU=GlobalSign Root CA - R3
Name Hash(sha1): f59c687f2418d62a790f7592330756ea85e94707
Name Hash(md5): 01728e1ecf7a9d86fb3cec8948aba953
Cert Serial Number: 04000000000121585308a2
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
NotBefore: 3/18/2009 3:00 AM
NotAfter: 3/18/2029 3:00 AM
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Serial: 04000000000121585308a2
Cert: d69b561148f01c77c54578c10926df5b856976ad
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
Application[7] = 1.3.6.1.5.5.7.3.7 IP security user
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: d69b561148f01c77c54578c10926df5b856976ad
------------------------------------
Verified Issuance Policies: All
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.3 Code Signing
1.3.6.1.5.5.7.3.4 Secure Email
1.3.6.1.5.5.7.3.8 Time Stamping
1.3.6.1.4.1.311.10.3.4 Encrypting File System
1.3.6.1.5.5.7.3.6 IP security tunnel termination
1.3.6.1.5.5.7.3.7 IP security user
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
C:\Temp\certs>
它也获得了亲昵证书,但仍然进行外部连接
....
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully
如果禁用网络通信(例如,无法联系非主机文件DNS),输出是否不同 从另一台服务器复制certutil.exe,与哈希值相比,该服务器未启动此类问题,但相同 你能澄清一下吗?您是说您从其他服务器复制了certutil.exe的备用版本,但没有看到相同的行为 如果是这样,则您正在运行的Windows Server 2016的确切版本中存在certutil.exe的记录问题,如下所述: