3

I am trying to do CRL check on macos catalina. I am doing exactly same as what is mentioned in

https://developer.apple.com/forums/thread/97740

SecPolicyRef revPolicy = nil;
revPolicy = SecPolicyCreateRevocation(kSecRevocationCRLMethod | kSecRevocationRequirePositiveResponse);

except for the setting the trust anchor part. I have created a self signed root CA using openssl and created a server certificate signed by the root CA.

I have a CRL distribution point mentioned in server certificate

X509v3 CRL Distribution Points:

            Full Name:
              URI:http://www.test.com/crl.pem

OSX is completely ignoring the CRL distribution point. There is no attempt to contact the CRL server during handshake.

What could be wrong here? Don't CRL checks work in OSX? Does it require some additional information in the certificate?

digitizedx
  • 386
  • 5
  • 16
  • AIA CA Issuers is required in certificate for OSX to initiate an CRL/OCSP request. I was using a custom certificate without AIA Ca Issuers . Same certificate worked fine on Windows with respect to OCSP. So never suspected anything being wrong with the certificate. – digitizedx Mar 05 '21 at 07:48
  • I facing the same issue, can you clarify what is "AIA CA issuers"? – José Sep 06 '21 at 19:04
  • 1
    I used https://jamielinux.com/docs/openssl-certificate-authority/ to create the certificate. I don't have the exact configuration I used. You need to add CA issuers to AIA extension.Just having OCSP part is not enough for mac. It should look like below when you open the certificate as text [..] Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ – digitizedx Sep 19 '21 at 08:27

0 Answers0