AnsweredAssumed Answered

PI Web API SSL Certificate: certificate failed basic validation policy

Question asked by Roger Palmen on Aug 6, 2019
Latest reply on Jul 22, 2020 by Roger Palmen

Like • Show 1 Like1
Comment • 3

Needed to renew a certificate on a PI Vision / PI Web API Server, so looked into https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB01649 for details as the certificate did not show up in the dialog to select a new one.

Not the verbose logging indicates: <...id...> not shown: certificate failed basic validation policy

Not what does that mean? I have a valid chain of trust, certificate is not expired, and certificate details show no difference with the previous one. Any details available why the certificate is not shown?

Now reverting to exchanging the certificate in IIS... although that is not the recommended path. The PI Web API Admin utility does show the Cert set in IIS, and it allows to save this configuration. So that is a workaround which does not leave the PI Web API configuration stale.

kduffy Aug 6, 2019 1:47 PM

Correct Answer

Hey Roger,

If I had to guess, I would say that your certificate revocation chain could not be verified.

The PI Web API admin utility performs a "hard fail" which means that if the entire revocation chain cannot be contacted to confirm that the certificate hash is not listed in the revocation server's certificate revocation list, then it will not allow it to be trusted.

Browsers, IIS, most other software, etc, perform "soft fails" which means that if the entire revocation chain cannot be contacted, then it will simply assume it hasn't been revoked and it will let you use it.

The Web API developers did not feel comfortable populating a non-verifiable certificate in our admin utility because users may not be aware that their CRL server is offline or otherwise unreachable, but we put in a concession that if the certificate is bound already to that port, then we will allow it to continue to be used.

This prevents people from unknowingly using a certificate that was never actually verified, while also not preventing users from using the certificate anyway if they so choose. The procedure you followed is exactly the procedure we recommend when the CRL server is not reachable.

To verify if this is in fact the case, can you run the certutil -verify <pathtocertificate>. That output should show why it failed.

Kelsey

See the reply in context

No one else had this question

Outcomes

kduffy Aug 6, 2019 1:47 PM

Hey Roger,

If I had to guess, I would say that your certificate revocation chain could not be verified.

To verify if this is in fact the case, can you run the certutil -verify <pathtocertificate>. That output should show why it failed.

Kelsey

2 people found this helpful

Actions

Roger Palmen @ kduffy on Aug 6, 2019 3:21 PM

Ah, that is helpful!

Servers are not connected to the servers that issued the company root certificates, but those are distributed by the domain controller.

So using chrome developer pane i exported the certificate to a .cer file, ran that through CertUtil: Certutil -verify newcertificate.cer and the results indeed confirm this is the issue:

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

Actions

Roger Palmen Jul 22, 2020 11:21 AM

In case there is no access to IIS (e.g. if you use a PI integrator) or PI Web API only, you can use

netsh http delete

to remove and

netsh http add

to bind the proper certificate without being blocked by certificate revocation checks or other issues blocking the use of the certificate.

Details here: How to: Configure a Port with an SSL Certificate - WCF | Microsoft Docs

Actions

3 Replies

kduffy Aug 6, 2019 1:47 PM
Unmark Correct
Correct Answer
Hey Roger,

If I had to guess, I would say that your certificate revocation chain could not be verified.

The PI Web API admin utility performs a "hard fail" which means that if the entire revocation chain cannot be contacted to confirm that the certificate hash is not listed in the revocation server's certificate revocation list, then it will not allow it to be trusted.

Browsers, IIS, most other software, etc, perform "soft fails" which means that if the entire revocation chain cannot be contacted, then it will simply assume it hasn't been revoked and it will let you use it.

The Web API developers did not feel comfortable populating a non-verifiable certificate in our admin utility because users may not be aware that their CRL server is offline or otherwise unreachable, but we put in a concession that if the certificate is bound already to that port, then we will allow it to continue to be used.

This prevents people from unknowingly using a certificate that was never actually verified, while also not preventing users from using the certificate anyway if they so choose. The procedure you followed is exactly the procedure we recommend when the CRL server is not reachable.

To verify if this is in fact the case, can you run the certutil -verify <pathtocertificate>. That output should show why it failed.

Kelsey
2 people found this helpful
Like • Show 0 Likes0
Actions
- Roger Palmen @ kduffy on Aug 6, 2019 3:21 PM
  Mark Correct
  Correct Answer
  Ah, that is helpful!
  Servers are not connected to the servers that issued the company root certificates, but those are distributed by the domain controller.
  
  So using chrome developer pane i exported the certificate to a .cer file, ran that through CertUtil: Certutil -verify newcertificate.cer and the results indeed confirm this is the issue:
  
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  Like • Show 3 Likes3
  Actions
Roger Palmen Jul 22, 2020 11:21 AM
Mark Correct
Correct Answer
In case there is no access to IIS (e.g. if you use a PI integrator) or PI Web API only, you can use
```
netsh http delete
```
to remove and
```
netsh http add 
```
to bind the proper certificate without being blocked by certificate revocation checks or other issues blocking the use of the certificate.

Details here: How to: Configure a Port with an SSL Certificate - WCF | Microsoft Docs
Like • Show 1 Like1
Actions

PI Web API SSL Certificate: certificate failed basic validation policy

Outcomes

Related Content

Recommended Content