Questions tagged [crl]
A Certificate Revocation List (CRL) is a blacklist of revoked or compromised serial numbers of certificates. As a serial number has no direct relationship to a certificate and can be fabricated in a compromised CA, it is considered a weak blacklist.
74
questions
28
votes
4
answers
48k
views
How do I check if my SSL certificates have been revoked
The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.
I have two certificates that were generated before the heartbleed vulnerability ...
12
votes
1
answer
1k
views
How to use Chrome's CRL sets (or some master CRL list) as a CRL file?
I am looking for a master CRL list. The closest thing I have found is the Chromium project's CRLSets. I used crlset-tools to get the crlset (crlset fetch > crl-set) and then dumped the serial ...
- 317
7
votes
2
answers
12k
views
How to check multiple CRL lists with nginx client authentication?
I have a custom easyrsa setup with a root and three CAs signed by the root. (Three different sub-cas depending on the user type), like this:
RootCA
+----- AdminUserCA
+----- EmployeeCA
+----- ...
- 935
7
votes
2
answers
10k
views
nginx proxy + ssl +clr "400 bad request" error
Here's the situation - there's a trasnparent nginx proxy that handles SSL certificates and does it well until we decide to add a revocation list management, required for security reasons. This is when ...
- 140
7
votes
1
answer
7k
views
RDP connection to domain server from non-domain client prompts "A revocation check could not be performed"
I've got about 30 Windows 2008 R2 servers as members of a domain, and am attempting to configure the certificates part correctly for remote desktop access to those servers.
The catch is that the ...
- 8,050
6
votes
3
answers
4k
views
Can Windows log CryptoAPI CRL timouts?
I suspect that the process of building the CRL cache may cause latency in some applications.
We have several .NET applications that occasionally "act slow" with no CPU or disk access. I suspect that ...
- 8,931
6
votes
1
answer
13k
views
OpenSSL error while loading CRLnumber
I am unable to generate a CRL. I am probably missing something in the configuration file. The error I get is "openssl error while loading crl number."
Crl config section:
[ CA_default ]
# ...
- 63
6
votes
1
answer
2k
views
How large is the certificate OCSP and CRL cache in my Windows server?
How can I see the size of the in-memory OCSP cache to a CRL cache in my Domain Controllers?
In other words, most Windows process that uses CryptoAPIs have an in-memory cache of every CRL and OCSP ...
- 8,931
6
votes
0
answers
36k
views
The revocation function was unable to check revocation because the revocation server was offline
I have a chain of certificates: MYROOTCERT -> MYCHILDCERT. The MYCHILDCERT certificate has a CRL distribution point extension:
[1]CRL Distribution Point
Distribution Point Name:
Full ...
- 249
5
votes
3
answers
6k
views
openvpn: crl has expired?
We have an OpenVPN in our aws setup which was set up by a client and now they are not able to connect to open vpn say "crl has expired" .
We are trying to regenerate the crl but to do that we need to ...
- 51
4
votes
1
answer
7k
views
OpenVPN revoke user - CRL verify issues
I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been ...
- 162
4
votes
1
answer
11k
views
How do I change the expiration of CRLs with OpenSSL?
I am currently experimenting with my self signed CA.
But in order for my devices to work I need a valid CRL.
I set the CDP to one of the CDN hosting providers.
As I have only 5 certificates issued I ...
- 126
4
votes
1
answer
7k
views
How to reload Certificate Revocation List (CRL) in nginx?
I have set CRL file in nginx with ssl_crl directive:
ssl_crl /mypath/crl.pem
However, I noticed that adding or removing revoked certificates from crl.pem apply only when I restart or reload nginx ...
- 143
4
votes
1
answer
923
views
Revoked certificate is still valid by Google Chrome and Microsoft Edge
I have generated Self-Signed Certificate, Root-CA Signed by Root-CA
Then, Intermediate-CA Signed by Root-CA and Server Signed by Intermediate-CA
The certificates as given below:
Root-CA -> ...
- 76
4
votes
1
answer
9k
views
Update CRL with OpenVPN server for longer expiration?
If the error "VERIFY ERROR: depth=0, error=CRL has expired" is received when a client attempts to connect to the OpenVPN server, it can be fixed as follows:
cd /etc/openvpn/easy-rsa
easyrsa ...
- 151
4
votes
2
answers
1k
views
Migrate an intermediate CA to a new root
Using the Microsoft CA is there any way to cut over to a new certificate authority from an intermediate authority?
Both my systems are Microsoft CAs - I have a 2008 R2 Enterprise CA (intermediate) ...
- 15.6k
4
votes
0
answers
5k
views
Active Directory Certificate Services cannot publish revocation list after renewal with new private Key
In summary:
I had a working offline root CA and an AD integrated CA working fine
I renewed the certificate with the same private key and all was good
I then renewed the certificate with a new ...
- 133
3
votes
4
answers
6k
views
Can I find out what certificate revocation server an application is contacting?
I'm trying to install an application on a machine running Windows XP Pro.
There are two different servers being contacted, both using the same wildcard certificate (GoDaddy). One via https, one ...
- 131
3
votes
1
answer
354
views
Hierarchical certification authorities and CRLs
If I implement a PKI with multiple levels of CAs, do I need to have a CRL for each individual CA or can I just have one CRL for the entire hierarchy (i.e. point all certificates to a single CRL), or ...
- 1,202
3
votes
2
answers
6k
views
How to extract CRL location from x509 certificate using OpenSSL utility
I need to extract the crl location from a certificate authority so I can use that in verifying certificates. Is this possible using the openssl utility other than using the -text option and attempting ...
- 415
3
votes
2
answers
34k
views
Reset local Certificate Revocation List (CRL) manual
How can I reset local CRL (in OS local cash) in Windows OS (XP, Windows 7) manual? We need to reset local CRL because otherwise the OS will use local CRL until "next update" period.
As described in "...
- 229
3
votes
1
answer
10k
views
Certificate revocation check fails for non-domain guest in spite of accessible CRL
When we try to use certificates on computers that are not part of the domain, Windows complains that
The revocation function was unable to check revocation because the revocation server was ...
- 201
3
votes
1
answer
49k
views
Revocation status of DC can't be verified
A Domain Controller within my forest was working fine (as the story usually goes).
Then, suddenly, I can't logon with my smart card. Instead, I'm greeted with the following message:
The system ...
- 211
3
votes
1
answer
3k
views
How can I make OpenVPN use my CA's CRL Distribution Points when verifying certificates?
I have an existing PKI into which I am trying to integrate an OpenVPN server. I have included CRL Distribution Points into each CA certificate in my chain and I publish the CRLs at a location that is ...
3
votes
1
answer
5k
views
Check SSL certificate against CRL when an intermediate CA is in the way
I am trying to understand how to check an SSL certificate, taking into account any relevant published CRL when the certificate chain is the following:
Root CA (with no CRL distribution points)
...
- 263
3
votes
1
answer
5k
views
Microsoft CRL URL's
We have a number of Exchange servers without access to the internet. When updating Exchange, the fact that all .NET assemblies are signed means the installer needs to check Microsoft's CRL during the ...
- 71
3
votes
1
answer
4k
views
How often is CRL refreshed, and how to force it to be?
I have a web service running under IIS 7 that requires an X509 client certificate. I know that the server that it rus on needs access to DigiCert.com in order to be able to get the CRL (Certificate ...
- 133
3
votes
1
answer
1k
views
OpenVPN service, run as root:root instead of nobody:nogroup?
This was moved from NetworkEngineering.
I used this DigitalOcean guide (hereafter "guide") to set up an OpenVPN service (v2.3.10, OpenSSL 1.0.2g) several months ago. It's worked flawlessly, and it's ...
- 293
3
votes
1
answer
3k
views
Openvpn intermediate CA CRL Question
I have created a CA and an intermediate CA using easy-rsa 2.0. On the Openvpn server I use the intermediate certificate export_ca (as per the easy-rsa spec). When I revoke a certificate on my ...
- 279
3
votes
0
answers
2k
views
The revocation function was unable to check revocation for the certificate
I need to pass IIS certificate authentication on Windows Server 2012. The root cert haven't got any revocation lists but I'm getting exception:
The revocation function was unable to check ...
- 131
2
votes
2
answers
3k
views
Maximum Size of CRL
Is there a CRL size that is beyond a practical limit? I did not find anything in the RFC. Is there any limit at all on the size of CRLs?
- 611
2
votes
3
answers
13k
views
How Can I Disable CRL Checks For A Windows 2008 App Using WinHTTP?
I've got a Windows 2008 server with an app that uses WinHTTP for SSL sessions. The server is isolated from the internet but still tries to connect to CRL distribution points, which leads to some ...
- 11.9k
2
votes
1
answer
2k
views
Updating IIS' default CRL (Certificate Revocation List)
I'm in the process of creating a (IIS 8.5) web server which will require client authentication. Client authentication will be carried out using client certificates which will be issued by a third ...
- 123
2
votes
1
answer
6k
views
Implications of Root CA without CRL
I'm currently setting up a PKI for my company and while I have come up with a good layout and planned the overall policy of certificate issuance, I'm still puzzled by what role the CRL plays.
By ...
- 1,106
2
votes
1
answer
6k
views
How to verify Certificate Revocation List(s) against multiple certification paths
In a recent question, I outlined the steps for verifying a wildcard SSL certificate for connecting to PostgreSQL from a remote client (using the same wildcard certificate I use for my web server). ...
- 773
2
votes
1
answer
5k
views
Windows 2012 SSTP The revocation function was unable to check revocation because the revocation server was offline
In order to get rid of "Error 0×80092013: The revocation function was unable to check revocation because the revocation server was offline" you have to install base/delta CRLs on the client you want ...
- 164
2
votes
0
answers
2k
views
NGINX Client Certificate with Indirect CRL
I'm trying to implement mTLS using Nginx SSL Module. Everything works fine until I give Nginx CRL files concatenated in PEM format because one of the CRL is an Indirect CRL.
The chain for a leaf ...
- 121
2
votes
0
answers
721
views
Keeping revocation lists up to date on Debian
I am using Debian Linux on several machines with different services (Apache, Freeradius, etc...) together with a Windows Server 2008R2 CA. I install the CA certificate by downloading it to /usr/local/...
- 41
2
votes
1
answer
3k
views
Revoke multiple client certs signed by one CA: only the first one got denied?
OS: Ubuntu 12.04
OpenVPN version: 2.2.1-8
Setup: one CA cert, one server cert, multiple client certs
Server config:
port 1194
proto udp
dev tun
keepalive 10 120
comp-lzo
user nobody
group nogroup
...
- 51.6k
2
votes
1
answer
552
views
CRL Check Questions
Windows XP | IE 7
Hi guys,
From time to time, I'm seeing the following error come up:
Revocation information for the
security certificate for this site is
not available. Do you want to
...
- 11.9k
1
vote
1
answer
5k
views
CRL revocation check failed
Issue with crl revocation check.
I can telnet target server on port 80.
I can download crl with internet explorer.
But when i launch certutil :
C:\Users\Administrateur\Desktop>certutil -urlfetch -...
- 155
1
vote
1
answer
12k
views
How to publish a CRL for an internal Windows certification authority?
I have an Active Directory domain with an Enterprise Root Certification Authority in it; the domain uses a private domain name ("domain.local"), and we also have a public domain name ("domain.com"). ...
- 70.7k
1
vote
1
answer
198
views
What determines the CRL expiration date and validity in PKI?
I'm working with Microsoft's Public Key Infrastructure (PKI) and I'm interested to know more about how the expiration date of a CRL is determined and how it can be adjusted in a Microsoft PKI ...
- 41
1
vote
1
answer
2k
views
RabbitMQ CRL Configuration
I've been trying to find available options for configuring CRL checking within RabbitMQ. RabbitMQ in turn seems to rely on Erlang's SSL library. Unfortunately, knowing very little about Erlang, so it ...
- 113
1
vote
1
answer
111
views
Windows Server 2003: Taking Root and Intermediate CA's offline causers faiure in Enterprise CA
I installed 3 CA's in lab environment:
SA Root CA
SA Intermediate CA
Enterprise CA (also DC)
The instructor recommends taking Root and Intermediate CA's offline once the Enterprise CA has been ...
- 1,009
1
vote
1
answer
3k
views
How can we clear CRL cache in Windows Server 008 using certutil command?
I know we can clear the CRL Cache in Windows Server 2008 using the certification authority UI. However, I want to automate the process and therefore looking a way to do it from command line. Is it ...
1
vote
1
answer
421
views
Considerations for certificate revocation for intermittently isolated ad-hoc networks
I'm trying to decide on a certificate revocation strategy for a solution I'm designing (that will utilize Dogtag PKI, per customer request). The obvious choices seem to be using a CRL or using OCSP. I'...
- 314
1
vote
1
answer
1k
views
What should be the CRL publishing period for corporate environments?
I am trying to suggest a CRL publishing period for a Microsoft CA, the user certificates are going to be used for digital signature.There can be cases that a user certificate may be revoked.
...
- 133
1
vote
2
answers
336
views
What is the best practice to handle expiring S/MIME mail certificates
where can I find info regarding the proper way to handle expiring mail certificates?
Here's the problem: our certificates for digitally signing mails expire after a year. If, a week before expiry, I ...
1
vote
1
answer
2k
views
CRL distribution point with multiple names
I'd like to create a certificate with CRL discribution point, which contains multiple URLs (poiting to the same CRL, according to RFC 5280):
When OpenSSL parses such certificate, it shows something ...
- 113