Hi Michael
I just tried out to set Internet Explorer options to verify the revocation status of a certificate before accessing the ssl-site. What happens is that IE is not able to check the CRL because this one is stored on an https site (under pub). If IE tries to access the crl, it has to access a https site -> IE tries to get the CRL -> .........
I copied the crl to a http location and issued a new cert with this url as CRL distribution point: then it works fine.
(I had the same problem when trying to start my windows 2003 server CA: the server tries to verify the status of its own certificate (signed by openca) and fails because it can't access the crl)
I just wondered if there is any special reason why you define the CRL distribution point to be on a https server?
Or do you know a hint to avoid this problem without changing the location of the CRL distribution point?
Regards
Pierre
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
- Re: [Openca-Users] CRL distribution points Pierre Scholtes
- Re: [Openca-Users] CRL distribution points Michael Bell
