On Jun 29, 2011, at 4:51 AM, David Pomeroy wrote:
> Hi Sean,
>
> openjdk7 complained that my Crl Server certificate did not contain a Subject
> Key Identifier.
It's a must-to-have field to comply with RFC 5280.
> Once I added this, validating the indirect CRL issuer worked as expected.
>
G
On 6/28/11 1:01 PM, David Pomeroy wrote:
Hi Sean,
I am using Open JDK 6. Are the indirect CRL bugs in JDK 6 documented anywhere?
Are there any workarounds?
See:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6509162
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6542169
No known wor
Hi Sean,
I am using Open JDK 6. Are the indirect CRL bugs in JDK 6 documented
anywhere? Are there any workarounds?
I am setting enableCRLDP.
Thanks, Dave
On Tue, Jun 28, 2011 at 5:46 AM, Sean Mullan wrote:
> Are you using JDK 7? There were some bugs fixed with indirect CRLs in JDK
> 7.
>
>
Thanks for the feedback, I will look into the log If I can get some time
tomorrow.
Thanks,
Xuelei
On 6/29/2011 12:57 AM, David Pomeroy wrote:
> Hi Xuelei,
>
> Attached is the certpath debug output.
>
> Here is some more info about my test setup.
>
> Dev Root CA issued Dev Sub CA
> Dev Sub CA
Hi Xuelei,
Attached is the certpath debug output.
Here is some more info about my test setup.
Dev Root CA issued Dev Sub CA
Dev Sub CA issued client cert
Dev Root CA issued Dev Crl Server cert
Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl
Dev Root CA, Dev Sub CA, and Dev Crl S
Are you using JDK 7? There were some bugs fixed with indirect CRLs in JDK 7.
Also, make sure you set the system property com.sun.security.enableCRLDP to the
value true when running, ex: java -Dcom.sun.security.enableCRLDP=true ...
--Sean
On 6/28/11 1:05 AM, [email protected] wrote:
Can you
Can you provide the code to reproduce the exception? Or is it possible attach
the CertPath building debugger log?
Xuelei
On Jun 28, 2011, at 11:59 AM, David Pomeroy wrote:
> Hello All,
>
> I am trying to get a servlet to download and check a CRL. The CRLDP is in
> the client's certificate a
Hello All,
I am trying to get a servlet to download and check a CRL. The CRLDP is in
the client's certificate and the CRL is marked "indirect CRL" so that it can
be signed by a different key than the client cert issuer. The following
block of code is invoked but the DistributionPointFetcher can'
