Collaborate Disseminate
On the Internet, I can find several statements done over the years claiming that serving a X.509 CRL over HTTPS is a bad practice because either
it causes a chicken-and-egg problem when checking for the TLS certificate and
it is simply a … Continue reading CRL over HTTPS: is it really a bad practice?
Does the CA need to mandatorily publish the new CRL file even though there are no new certificates that have been compromised since the last CRL published?
If CA needs to publish the CRL’s periodically, how do I identity whether there are … Continue reading Practical usage of CRL(Certificate Revocation List)
I use Nginx for client-side authentication.
Only the SSL-certificates from the User CA should have access to the application.
The CA hierarchy:
Root CA
|
Intermediate CA
|
User CA
So ssl_verify_depth (maximum verification de… Continue reading Certificate Revocation with intermediate CAs – combine CRLs?
I’ve used OpenSSL cms to sign the data and generate a detached signature. As per my requirements, I need to timestamp the signature as well, so that if the certificate expired, verification of signature can be done. The generated timestamp… Continue reading Openssl cms verify signature with timestamp and crl
Merely because of private interest and usage in my own network, I’m creating a certificate chain (Root CA → Intermediate CA → Server cert) using openssl. I’d like the certificate chain to be traceable and also being able to revok… Continue reading Correct CRL and OSCP URIs along certificate chain
In the instance of a web server that requires client certificates to log in, what exactly is creating and updating the CRL? From all of the examples I see, it is a manual process.
Is it really a person manually adding a certificate to the… Continue reading Who/what maintains the CRL for a web server’s client certs?
In an architecture with a root CA and a daughter CA, is it possible to combine OCSP stapling and CRL check?
More precisely, is it possible for a client:
to connect to an https server
verify the validity of the server’s ce… Continue reading Mix OCSP stapling + CRL in a hierarchy of CAs
I am a Firefox user and recently stumbled upon the Liu, Yabing, et al. “An end-to-end measurement of certificate revocation in the web’s PKI.” Proceedings of the 2015 Internet Measurement Conference. ACM, 2015 study and after… Continue reading How well do current browsers handle certificate revocation?
I was reading a CPS/CP for a CA, and it mentioned that there’s a possibility after rekey that you can still use the old key to sign CRLs of the old end user certificates verified by the old CA certificate, the only case where… Continue reading What’s the goal behind signing a CRL with an old certificate key?
I understand that each public key certificate includes an expiration time, and a CRL is issued periodically, listing all currently revoked certificates. However, in class we were told to think about whether or not we still ne… Continue reading Assuming that everyone always performs a revocation check, do we still need expiration time in each certificate?