Error validating certificate in Pop3 and Smtp in a specific client

+1 vote
asked Sep 10, 2015 by Albert (160 points)
edited Sep 10, 2015 by Tomas Knopp

Hello,
we have a problem in one of our clients running Windows 2003 small bussiness server, our windows service is running under local system account.

I've searched this forum and found a code you posted to instruct rebex components to accept all certificates, then save the certificate and do the chain validation using X509Certificate2 class.

This is the code I've used:

if ( args.Length != 4 )
{
    Console.WriteLine( "Uso: TestCertificadoEmail <smtp|pop3> <host> <port> <implicit|explicit>" );
    return;
}

try
{
    CertificateChain certChain = null;

    if ( args[0] == "smtp" )
    {
        // 1. Use Rebex SMTP to download the server certificate into a file
        Smtp client = new Smtp();
        client.Settings.SslAcceptAllCertificates = true;
        client.Connect( args[1], Convert.ToInt32( args[2] ), args[3] == "implicit" ? SslMode.Implicit : SslMode.Explicit );
        certChain = client.TlsSocket.ServerCertificate;
    }
    else if ( args[0] == "pop3" )
    {
        Pop3 client = new Pop3();
        client.Settings.SslAcceptAllCertificates = true;
        client.Connect( args[1], Convert.ToInt32( args[2] ), args[3] == "implicit" ? SslMode.Implicit : SslMode.Explicit );
        certChain = client.TlsSocket.ServerCertificate;
    }
    else
    {
        Console.WriteLine( "Protocolo no soportado" );
        return;
    }

    foreach ( var rebexCert in certChain )
    {
        Console.WriteLine( rebexCert.GetCommonName() );
        rebexCert.Save( "cert.der", CertificateFormat.Base64Der );
        // 2. Validate the certificate (from the file) without using any Rebex code

        X509Certificate2 cert = new X509Certificate2( "cert.der" );

        X509ChainPolicy policy = new X509ChainPolicy();
        policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
        policy.RevocationMode = X509RevocationMode.Online;

        X509Chain chain = new X509Chain( false );

        try
        {
            chain.ChainPolicy = policy;

            bool valid = chain.Build( cert );
            Console.WriteLine( "Is valid: {0}", valid );
            foreach ( X509ChainStatus s in chain.ChainStatus )
            {
                X509ChainStatusFlags flags = s.Status;

                Console.WriteLine( "Status: {0}", flags );
            }
        }
        finally
        {
            chain.Reset();
        }
    }
    Console.ReadLine();
}
catch ( Exception ex )
{
    Console.WriteLine( ex.Message );
    Console.WriteLine( ex.StackTrace );
}

And this is the result i get when I connect in this machine to pop.gmail.com port 995.

pop.gmail.com
Is valid: False
Status: NotSignatureValid
Status: RevocationStatusUnknown
Status: OfflineRevocation
Google Internet Authority G2
Is valid: False
Status: NotSignatureValid
Status: RevocationStatusUnknown
Status: OfflineRevocation
GeoTrust Global CA
Is valid: True

Of course this has something to do with this particular machine, because the same test run in my developer machine says all the certificates are valid.

What can I do to solve this certificate problem?

Thanks.

Applies to: Rebex Secure Mail

3 Answers

0 votes
answered Sep 21, 2015 by Tomas Knopp (58,890 points)
selected Sep 25, 2015 by Albert
 
Best answer

Hello and thank you for your last outputs of the certutil.exe!

Finally we were able to find the cause of the issue.

The certutil failed with 0x80096004 (-2146869244) error code, which is a known issue with some older Windows systems including Windows Server 2003 that do not support SHA2 hashing algorithms. This is well described in the following blogpost.

In short, the certificate validation at the particular Windows machine fails because the certificates in the chain use the SHA2 hashing algorithms whihc is not supported by your server.

Fortunatelly, Microsoft offers hotfix for the missing SHA2 algorithm problem. So please download the hotfix, install it at your server and then try to validate the certificates one more time. This should make it possible to validate the certificates.

Please let us know whether the issue has been resolved by applying the fix.

commented Sep 21, 2015 by Albert (160 points)
We will talk to to the client and recomend them to upgrade the server to a newer operating system or apply the hotfix.
Meanwhile we have modified our service to set the SslAcceptAllCertificates in this particular client, letting them know that this is insecure.

If they decide to apply the hotfix, I will let you know.
commented Sep 25, 2015 by Tomas Knopp (58,890 points)
Any news from your client on this issue? It would be good to know if the Microsoft hotfix has helped.
commented Sep 25, 2015 by Albert (160 points)
Yes, the client has decided to stay with the SslAcceptAllCertificates bit set to true, despite our warnings.
We have not installed the hotfix.
0 votes
answered Sep 11, 2015 by Tomas Knopp (58,890 points)

Hello,

is there any difference if you validate the certificate with .NET classes, but this time using the machine context? E.g in the code above please try to change from:

X509Chain chain = new X509Chain(false);

to

X509Chain chain = new X509Chain(true);

And then let me know whether you are able to validate the certificate on the problematic machine using machine context.

commented Sep 14, 2015 by Albert (160 points)
Hello,

I've tested with machine context and the same result.

pop.gmail.com
Is valid: False
Status: NotSignatureValid
Status: RevocationStatusUnknown
Status: OfflineRevocation
Google Internet Authority G2
Is valid: False
Status: NotSignatureValid
Status: RevocationStatusUnknown
Status: OfflineRevocation
GeoTrust Global CA
Is valid: True
0 votes
answered Sep 14, 2015 by Tomas Knopp (58,890 points)

Hi,

The X509ChainStatusFlags.RevocationStatusUnknown means that "It is not possible to determine whether the certificate has been revoked. This can be due to the certificate revocation list (CRL) being offline or unavailable". (See http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chainstatusflags.aspx)
The error itself actually comes from Windows CryptoAPI's CertGetCertificateChain function (see http://msdn.microsoft.com/en-us/library/windows/desktop/aa376078%28v=vs.85%29.aspx and http://msdn.microsoft.com/en-us/library/windows/desktop/aa377590%28v=vs.85%29.aspx) for more information.

This means that in order to determine what is wrong with certificate validation on your machine, you will have to look deeper – it doesn't seem to be related to Rebex code.

Please download and save Gmail's certificate, using the following code for example:

using System;
using Rebex.Net;
using Rebex.Security.Certificates;
using System.Security.Cryptography.X509Certificates;
... 

// 1. Use Rebex POP3 to download the server certificate into a file
Pop3 client = new Pop3();
client.Settings.SslAcceptAllCertificates = true;
client.Connect("your-pop3-server", SslMode.Implicit);
client.TlsSocket.ServerCertificate[0].Save("certificate.der", CertificateFormat.Base64Der);

Then run the following command line utility on the gmail.der file (at the machine that fails to validate the certificate):
certutil -verify -urlfetch certificate.der
And check its output (send us a copy if possible) – there might be something useful there.

commented Sep 14, 2015 by Tomas Knopp (58,890 points)
One of our customer was experiencing the same problem and they finally found that at the site where the problem occurred, IE was configured to use a HTTP proxy.

Their program was running as a service on the localsystem account and could not use the HTTP proxy which resulted in the inability to perform the CRL revocation check.

However, running their program with a windows domain account, or with a local account with proxy settings disabled in IE, solved their problem.
commented Sep 15, 2015 by Albert (160 points)
Hi, I've checked the IE configuration, no proxy is configured.

Here is the output of the certutil command:

Emisor:
    OU=Equifax Secure Certificate Authority
    O=Equifax
    C=US
Asunto:
    CN=GeoTrust Global CA
    O=GeoTrust Inc.
    C=US
Nº. de serie de cert.: 12bbe6

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 35 Minutes, 8 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 35 Minutes, 8 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Serial: 12bbe6
  73 59 75 5c 6d f9 a0 ab c3 06 0b ce 36 95 64 c8 ec 45 42 a3
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  Comprobado "CRL de base" Tiempo: 0
    [0.0] http://crl.geotrust.com/crls/secureca.crl

  ----------------  CDP de CRL base  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  --------------------------------
    CRL 0:
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    84 66 8a 48 0f 3e 74 82 62 af 80 c6 e7 2b 61 e1 b5 bd 7a 96
  Application[0] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[1] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[2] = 1.3.6.1.5.5.7.3.3 Firma de código

CertContext[0][1]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Serial: 35def4cf
  d2 32 09 ad 23 d3 14 23 21 74 e4 0d 7f 9d 62 13 97 86 63 3a
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  Error "CDP" Tiempo: 0
    Error al recuperar la dirección URL: El sistema no puede abrir el dispositivo o archivo especificado. 0x8007006e (WIN32/HTTP: 110)
    ldap:///CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary

  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[1] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[2] = 1.3.6.1.5.5.7.3.3 Firma de código

Exclude leaf cert:
  51 5c b6 a9 53 ed bd 25 a9 8a 24 66 2e 70 6e 54 85 e7 9c f6
Full chain:
  87 c6 58 e5 32 3a d8 b8 6c be a8 89 ca 2f 03 51 44 a1 db 7a
------------------------------------
Directivas de emisión comprobadas: Todo
Directivas de aplicación comprobadas:
    1.3.6.1.5.5.7.3.4 Correo seguro
    1.3.6.1.5.5.7.3.1 Autenticación del servidor
    1.3.6.1.5.5.7.3.3 Firma de código
El certificado es de entidad emisora
La comprobación de revocación del certificado de hoja ha sido correcta
CertUtil: -verify comando completado satisfactoriamente.
commented Sep 15, 2015 by Tomas Knopp (58,890 points)
The certutil utility validates the certificate without problems. Did you run it normally under the local account? The thing is that the windows service under your "local system" account might be using different proxy setup. By checking your IE proxy settings under the local system account you were not actually checking the proxy settings that the windows service is using.

There is a neat blogpost at http://blogs.technet.com/b/bshukla/archive/2012/04/30/certificate-revocation-checked-failed.aspx describing  the same problem (CRL check failing under windows service in "local system" account). It contains a step-by-step guide that will allow you to check the settings that the windows service is using. Please give it a try and let me know whether you are able to validate the certificate after applying the how-to.
commented Sep 16, 2015 by Albert (160 points)
Hi, I've followed the steps described in the blogpost to get a cmd window running under local system account. Checked internet explorer, still no proxy settings.

I've cleared the certificate cache, as described in the post and ran again the .Net validation program under this local system cmd window and it gives me the same result.

I've noticed in the certutil -verify output I sent you yesterday, there is an error:

Error al recuperar la dirección URL: El sistema no puede abrir el dispositivo o archivo especificado. 0x8007006e (WIN32/HTTP: 110)
    ldap:///CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary

Maybe it has something to do with this error?
commented Sep 17, 2015 by Tomas Knopp (58,890 points)
Thanks for your reply. Actually, the certutil.exe did not fail because the final message says:

"El certificado es de entidad emisora
 La comprobación de revocación del certificado de hoja ha sido correcta
 CertUtil: -verify comando completado satisfactoriamente."

which google translates as
"The certificate revocation check sheet was successful  CertUtil: -verify command completed successfully."

So actually it was able to fetch the CRL's from the HTTP address provided (however, it was unable to download the CRL's from the LDAP address which is what the error

"Error al recuperar la dirección URL: El sistema no puede abrir el dispositivo o archivo especificado. 0x8007006e (WIN32/HTTP: 110)
    ldap:///CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary"

says).

So one more thing to try:
please run the certutil.exe utility one more time at the problematic account, but this time run it as the windows service.

Just open the "windows service" commandline following points 1- 5 from the blogpost http://blogs.technet.com/b/bshukla/archive/2012/04/30/certificate-revocation-checked-failed.aspx

Then run the
certutil -verify -urlfetch certificate.der

in the windows service commandline

and plese send us its output.
Hope we will see why the CRL check fails under the widows service based on its output.
commented Sep 17, 2015 by Albert (160 points)
Hello,
I've ran a batch file with these commands, under the localsystem account:

whoami
TestCertificadoEmail pop3 pop.gmail.com 995 implicit
certutil -verify -urlfetch cert.der

Here is the output, it seems that the certutil validates ok the certificate.


C:\Documents and Settings\Administrador\Escritorio\Test certificado>whoami
nt authority\system

C:\Documents and Settings\Administrador\Escritorio\Test certificado>TestCertificadoEmail pop3 pop.gmail.com 995 implicit
pop.gmail.com
Is valid: False
Status: NotSignatureValid
Status: RevocationStatusUnknown
Status: OfflineRevocation
Google Internet Authority G2
Is valid: False
Status: NotSignatureValid
Status: RevocationStatusUnknown
Status: OfflineRevocation
GeoTrust Global CA
Is valid: True

C:\Documents and Settings\Administrador\Escritorio\Test certificado>certutil -verify -urlfetch cert.der
Emisor:
    OU=Equifax Secure Certificate Authority
    O=Equifax
    C=US
Asunto:
    CN=GeoTrust Global CA
    O=GeoTrust Inc.
    C=US
Nº. de serie de cert.: 12bbe6

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 2 Hours, 49 Minutes, 26 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 2 Hours, 49 Minutes, 26 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Serial: 12bbe6
  73 59 75 5c 6d f9 a0 ab c3 06 0b ce 36 95 64 c8 ec 45 42 a3
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  Comprobado "CRL de base" Tiempo: 0
    [0.0] http://crl.geotrust.com/crls/secureca.crl

  ----------------  CDP de CRL base  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  --------------------------------
    CRL 0:
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    bd d5 c5 a0 5a a0 4a 14 79 3b 45 cc 0d 64 eb 6f e8 3f 9c a6
  Application[0] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[1] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[2] = 1.3.6.1.5.5.7.3.3 Firma de código

CertContext[0][1]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Serial: 35def4cf
  d2 32 09 ad 23 d3 14 23 21 74 e4 0d 7f 9d 62 13 97 86 63 3a
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  Error "CDP" Tiempo: 0
    Error al recuperar la dirección URL: El sistema no puede abrir el dispositivo o archivo especificado. 0x8007006e (WIN32/HTTP: 110)
    ldap:///CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary

  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[1] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[2] = 1.3.6.1.5.5.7.3.3 Firma de código

Exclude leaf cert:
  40 20 cc af 0c 78 d0 53 79 85 e8 0f 06 4d 76 ad 1e 2e b7 0e
Full chain:
  57 83 22 ef 17 87 f4 ff ad 64 96 92 33 15 8e df 37 10 fa ea
------------------------------------
Directivas de emisión comprobadas: Todo
Directivas de aplicación comprobadas:
    1.3.6.1.5.5.7.3.4 Correo seguro
    1.3.6.1.5.5.7.3.1 Autenticación del servidor
    1.3.6.1.5.5.7.3.3 Firma de código
El certificado es de entidad emisora
La comprobación de revocación del certificado de hoja ha sido correcta
CertUtil: -verify comando completado satisfactoriamente.
commented Sep 17, 2015 by Tomas Knopp (58,890 points)
Thank you for running it. One more question, just to make sure:

When writing
   > "under the localsystem account"

do you mean you ran it under the windows service (as described in the blogpost) , or in a standard commandline? Thanks for clarification.
commented Sep 17, 2015 by Albert (160 points)
Under the windows service, see that I included a "whoami" command in the batch to verify I was under the nt authority\system account.
commented Sep 18, 2015 by Lukas Pokorny (102,210 points)
Actually, when you run `certutil` after running your test code, it only checks the last certificate in the chain because your code overwrites "cert.der" in the foreach loop. The last certificate in the chain happens to be "GeoTrust Global CA" (issued by "Equifax Secure Certificate Authority"), which is actually reported as valid by your code as well (so it's not really any surprise that `certutil` considers them valid as well).

Please try running `certutil` on one of the two certificates that are NOT reported as valid by your code as well. These are the first and second certificates in the chain. This should finally make it possible to determine the cause of the validation issues. Thanks!
commented Sep 21, 2015 by Albert (160 points)
Oops, you're right.

Here is the output for the 2 first certificates in the chain:

Cert 1:

Emisor:
    CN=Google Internet Authority G2
    O=Google Inc
    C=US
Asunto:
    CN=pop.gmail.com
    O=Google Inc
    L=Mountain View
    S=California
    C=US
Nº. de serie de cert.: 4ab74e106987e48d

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000048
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  Subject: CN=pop.gmail.com, O=Google Inc, L=Mountain View, S=California, C=US
  Serial: 4ab74e106987e48d
  f9 81 fc 97 8c 00 53 89 4f fb 06 00 4e fc 4a 09 8a fd ba 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificado AIA  ----------------
  Emisor incorrecto "Certificado (0)" Tiempo: 0
    [0.0] http://pki.google.com/GIAG2.crt

  ----------------  Certificado CDP  ----------------
  Comprobado "CRL de base (869)" Tiempo: 0
    [0.0] http://pki.google.com/GIAG2.crl

  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.11129.2.5.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[1] = 1.3.6.1.5.5.7.3.2 Autenticación del cliente

CertContext[0][1]: dwInfoStatus=2 dwErrorStatus=1000048
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Serial: 023a83
  17 8f 7e 93 a7 4e d7 3d 88 c2 90 42 22 0b 9a e6 e4 b3 71 cd
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  Comprobado "CRL de base" Tiempo: 0
    [0.0] http://g.symcb.com/crls/gtglobal.crl

  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.11129.2.5.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[1] = 1.3.6.1.5.5.7.3.2 Autenticación del cliente
  Application[2] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[3] = 1.3.6.1.5.5.7.3.3 Firma de código
  Application[4] = 1.3.6.1.5.5.7.3.8 Impresión de fecha

CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Serial: 023456
  de 28 f4 a4 ff e5 b9 2f a3 c5 03 d1 a3 49 a7 f9 96 2a 82 12
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[1] = 1.3.6.1.5.5.7.3.2 Autenticación del cliente
  Application[2] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[3] = 1.3.6.1.5.5.7.3.3 Firma de código
  Application[4] = 1.3.6.1.5.5.7.3.8 Impresión de fecha

Exclude leaf cert:
  e3 37 31 29 35 60 64 1d 69 7b f5 b0 35 6a 8e 4b 4d f7 56 90
Full chain:
  cd e3 7b 52 c8 12 d4 48 78 c5 78 ce ff 0a 8e 7f b0 5c a6 6e
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  Subject: CN=pop.gmail.com, O=Google Inc, L=Mountain View, S=California, C=US
  Serial: 4ab74e106987e48d
  f9 81 fc 97 8c 00 53 89 4f fb 06 00 4e fc 4a 09 8a fd ba 18
No se puede comprobar la firma del certificado. 0x80096004 (-2146869244)
------------------------------------
CertUtil: -verify error del comando: 0x80096004 (-2146869244)
CertUtil: No se puede comprobar la firma del certificado.
commented Sep 21, 2015 by Albert (160 points)
Cert 2:

Emisor:
    CN=GeoTrust Global CA
    O=GeoTrust Inc.
    C=US
Asunto:
    CN=Google Internet Authority G2
    O=Google Inc
    C=US
Nº. de serie de cert.: 023a83

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000048
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Serial: 023a83
  17 8f 7e 93 a7 4e d7 3d 88 c2 90 42 22 0b 9a e6 e4 b3 71 cd
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  Comprobado "CRL de base" Tiempo: 0
    [0.0] http://g.symcb.com/crls/gtglobal.crl

  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.11129.2.5.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[1] = 1.3.6.1.5.5.7.3.2 Autenticación del cliente
  Application[2] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[3] = 1.3.6.1.5.5.7.3.3 Firma de código
  Application[4] = 1.3.6.1.5.5.7.3.8 Impresión de fecha

CertContext[0][1]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Serial: 023456
  de 28 f4 a4 ff e5 b9 2f a3 c5 03 d1 a3 49 a7 f9 96 2a 82 12
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificado AIA  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  ----------------  Certificado CDP  ----------------
  No hay direcciones URL "Ninguno" Tiempo: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
  Application[1] = 1.3.6.1.5.5.7.3.2 Autenticación del cliente
  Application[2] = 1.3.6.1.5.5.7.3.4 Correo seguro
  Application[3] = 1.3.6.1.5.5.7.3.3 Firma de código
  Application[4] = 1.3.6.1.5.5.7.3.8 Impresión de fecha

Exclude leaf cert:
  17 8f 7e 93 a7 4e d7 3d 88 c2 90 42 22 0b 9a e6 e4 b3 71 cd
Full chain:
  8d 7b 72 70 27 be 34 54 82 fc 05 02 5d 3f 41 c6 24 02 0d c4
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Serial: 023a83
  17 8f 7e 93 a7 4e d7 3d 88 c2 90 42 22 0b 9a e6 e4 b3 71 cd
No se puede comprobar la firma del certificado. 0x80096004 (-2146869244)
------------------------------------
CertUtil: -verify error del comando: 0x80096004 (-2146869244)
CertUtil: No se puede comprobar la firma del certificado.
...