Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [crl]

A Certificate Revocation List (CRL) is a blacklist of revoked or compromised serial numbers of certificates. As a serial number has no direct relationship to a certificate and can be fabricated in a compromised CA, it is considered a weak blacklist.

72 questions
4
votes
1 answer

Revoked certificate is still valid by Google Chrome and Microsoft Edge

I have generated Self-Signed Certificate, Root-CA Signed by Root-CA Then, Intermediate-CA Signed by Root-CA and Server Signed by Intermediate-CA The certificates as given below: Root-CA -> Intermediate-CA -> …
soup
  • 76
  • 4
3
votes
0 answers

OpenVPN service, run as root:root instead of nobody:nogroup?

This was moved from NetworkEngineering. I used this DigitalOcean guide (hereafter "guide") to set up an OpenVPN service (v2.3.10, OpenSSL 1.0.2g) several months ago. It's worked flawlessly, and it's faster than our old VPN appliance. I'm at a point…
user38537
  • 293
  • 3
  • 15
3
votes
1 answer

How can I make OpenVPN use my CA's CRL Distribution Points when verifying certificates?

I have an existing PKI into which I am trying to integrate an OpenVPN server. I have included CRL Distribution Points into each CA certificate in my chain and I publish the CRLs at a location that is reachable from my OpenVPN server. The problem is…
succulent_headcrab
  • 387
  • 2
  • 6
  • 12
3
votes
1 answer

Certificate revocation check fails for non-domain guest in spite of accessible CRL

When we try to use certificates on computers that are not part of the domain, Windows complains that The revocation function was unable to check revocation because the revocation server was offline. However, if I manually open the certificate and…
0xFE
  • 201
  • 1
  • 2
  • 11
3
votes
1 answer

Microsoft CRL URL's

We have a number of Exchange servers without access to the internet. When updating Exchange, the fact that all .NET assemblies are signed means the installer needs to check Microsoft's CRL during the update process. Is there a definitive list of…
visualtrey
  • 61
  • 1
  • 6
3
votes
0 answers

The revocation function was unable to check revocation for the certificate

I need to pass IIS certificate authentication on Windows Server 2012. The root cert haven't got any revocation lists but I'm getting exception: The revocation function was unable to check revocation for the certificate After searching, I found…
Denis Agarev
  • 131
  • 3
3
votes
4 answers

Can I find out what certificate revocation server an application is contacting?

I'm trying to install an application on a machine running Windows XP Pro. There are two different servers being contacted, both using the same wildcard certificate (GoDaddy). One via https, one via net.tcp with ssl. Both are WCF services. The…
Joshua Evensen
  • 131
  • 1
  • 3
3
votes
1 answer

How often is CRL refreshed, and how to force it to be?

I have a web service running under IIS 7 that requires an X509 client certificate. I know that the server that it rus on needs access to DigiCert.com in order to be able to get the CRL (Certificate Revocation List). There is a need to change our…
lockstock
  • 133
  • 1
  • 5
3
votes
1 answer

Revocation status of DC can't be verified

A Domain Controller within my forest was working fine (as the story usually goes). Then, suddenly, I can't logon with my smart card. Instead, I'm greeted with the following message: The system could not log you on. The revocation status of the…
Federer
  • 211
  • 2
  • 5
  • 11
3
votes
2 answers

How to extract CRL location from x509 certificate using OpenSSL utility

I need to extract the crl location from a certificate authority so I can use that in verifying certificates. Is this possible using the openssl utility other than using the -text option and attempting to parse the output (which seems prone to…
Shawn J. Goff
  • 415
  • 5
  • 13
3
votes
2 answers

Reset local Certificate Revocation List (CRL) manual

How can I reset local CRL (in OS local cash) in Windows OS (XP, Windows 7) manual? We need to reset local CRL because otherwise the OS will use local CRL until "next update" period. As described in "Manually publish the CRL": Clients that have a…
Sasha
  • 229
  • 2
  • 5
  • 12
3
votes
1 answer

Hierarchical certification authorities and CRLs

If I implement a PKI with multiple levels of CAs, do I need to have a CRL for each individual CA or can I just have one CRL for the entire hierarchy (i.e. point all certificates to a single CRL), or only a few at the upper levels of the hierarchy?
LawrenceC
  • 1,202
  • 7
  • 14
3
votes
1 answer

Openvpn intermediate CA CRL Question

I have created a CA and an intermediate CA using easy-rsa 2.0. On the Openvpn server I use the intermediate certificate export_ca (as per the easy-rsa spec). When I revoke a certificate on my intermediate CA and copy the new crl.pem file to the…
Hilton D
  • 279
  • 5
  • 15
3
votes
1 answer

Update CRL with OpenVPN server for longer expiration?

If the error "VERIFY ERROR: depth=0, error=CRL has expired" is received when a client attempts to connect to the OpenVPN server, it can be fixed as follows: cd /etc/openvpn/easy-rsa easyrsa gen-crl Should result in: [root@vpnserver easy-rsa]#…
AlphaCentauri
  • 141
  • 1
  • 7
3
votes
1 answer

Check SSL certificate against CRL when an intermediate CA is in the way

I am trying to understand how to check an SSL certificate, taking into account any relevant published CRL when the certificate chain is the following: Root CA (with no CRL distribution points) Intermediate CA (advertising a CRL distribution point…
mimo
  • 253
  • 1
  • 3
  • 7
1
2
3 4 5