Re: [Openca-Users] Offtopic: IE6 - problem getting CRL over HTTPS

Wed, 07 Jan 2004 07:02:45 -0800

Hi Ondrej,

This happens when the server certificate where the CRL lives points to this CRL.

2 possible Solutions:
a) Use http or LDAP - it is not necessary to protect the CRL because the CRL itself is signed and protected against manipulation

b) Sign the server certificate with another CA

Here is a link to a related problem in the faq
http://www.openca.org/openca/docs/online/apas03.html#id2833002

regards

Oliver

Grich, Ondrej wrote:
Hello,

Sorry for little off-topic question.

I'm facing problem with accessing secure server, especialy with getting
CRL over HTTPS.
Situation: IE (ver. 6; WinXP SP1) with client side certificate. "Check
for server certificate revocation" option is enabled. Secure server
certificate's CDP (certificate distribution point) attribute points to
URI:https://blabla.blabla.com/crl/crl.crl.
When connecting with IE to secure server (over HTTPS), the ssl handshake
between client and server took place (verified from servers
http logs), and than nothing happens for several minutes. after that IE
complains that "Revocation information for security certificate for
this site is not available". The CA certificate (which published server
certificate) has also CDP attribute with HTTPS.

The same scenario, except the server certificate, which now has
attribute with CDP distribution point accessbile over HTTP, works fine.

Does anybody faced this situation? ANybody knows what steps are involed
in IE's Certificate validation/CRL checking?

thanks in advance
og


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users


--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to