Collaborate Disseminate
I am using OpenSSL
For example, I have a CRL/CA Issuers URL that is like this:
http://pki.example.com/Example Intermediate Certificate Authority.crl
#CA Issuers
caIssuers;URI.0 = http://pki.example.com/Example Intermediate Certificate Aut… Continue reading Can CRL and CA Issuers urls contain spaces?
Every cert name in CRL database contains ‘unknown’, here is the CRL db:
# here is the problem………………………vvvvvvv………………………………………….
V 220206113901Z 43434A524C5231 unknown /C=IN/… Continue reading Every cert name in CRL database contains ‘unknown’
On the Internet, I can find several statements done over the years claiming that serving a X.509 CRL over HTTPS is a bad practice because either a) it causes a chicken-and-egg problem when checking for the TLS certificate and b) it is simp… Continue reading CRL over HTTPS: is it really a bad practice?
On the Internet, I can find several statements done over the years claiming that serving a X.509 CRL over HTTPS is a bad practice because either
it causes a chicken-and-egg problem when checking for the TLS certificate and
it is simply a … Continue reading CRL over HTTPS: is it really a bad practice?
Does the CA need to mandatorily publish the new CRL file even though there are no new certificates that have been compromised since the last CRL published?
If CA needs to publish the CRL’s periodically, how do I identity whether there are … Continue reading Practical usage of CRL(Certificate Revocation List)
I use Nginx for client-side authentication.
Only the SSL-certificates from the User CA should have access to the application.
The CA hierarchy:
Root CA
|
Intermediate CA
|
User CA
So ssl_verify_depth (maximum verification de… Continue reading Certificate Revocation with intermediate CAs – combine CRLs?
I’ve used OpenSSL cms to sign the data and generate a detached signature. As per my requirements, I need to timestamp the signature as well, so that if the certificate expired, verification of signature can be done. The generated timestamp… Continue reading Openssl cms verify signature with timestamp and crl
Merely because of private interest and usage in my own network, I’m creating a certificate chain (Root CA → Intermediate CA → Server cert) using openssl. I’d like the certificate chain to be traceable and also being able to revok… Continue reading Correct CRL and OSCP URIs along certificate chain
In the instance of a web server that requires client certificates to log in, what exactly is creating and updating the CRL? From all of the examples I see, it is a manual process.
Is it really a person manually adding a certificate to the… Continue reading Who/what maintains the CRL for a web server’s client certs?
In an architecture with a root CA and a daughter CA, is it possible to combine OCSP stapling and CRL check?
More precisely, is it possible for a client:
to connect to an https server
verify the validity of the server’s ce… Continue reading Mix OCSP stapling + CRL in a hierarchy of CAs