Collaborate Disseminate
I understand that each public key certificate includes an expiration time, and a CRL is issued periodically, listing all currently revoked certificates. However, in class we were told to think about whether or not we still ne… Continue reading Assuming that everyone always performs a revocation check, do we still need expiration time in each certificate?
I am trying to create a CRL with my own private CA with OpenSSL. I have to work on a Windows machine from the binary. I give the command:
$openssl ca -gencrl -config root-ca.conf -out root-ca.crl
which gives me the error:
… Continue reading Unable to load crlnumber when creating CRL with OpenSSL [migrated]
I’m setting up Two-Tier PKI for the first time in our Windows Server 2012 R2 environment and I’ve read several tutorials on setting this up. Some of the methodology is very different, but I’ve chosen to go with the guide at … Continue reading How to automate publication of CRL and CRT files to CDP and AIA location?
We’ve got a scenario where the CRL is distributed to 2 different Locations.
One ist accessable from a private network and not from the internet.
The other one is asseccable from the internet but not from the private network.
… Continue reading Under what conditions is the Client trying "the next" CRL Distribution Point?
I don’t really understand why the approach towards checking the validity of certificates is “valid until proven otherwise” (aka revocation lists).
In my opinion this is kind of weird. A CA has to manually keep track of all t… Continue reading Why are CRLs used instead of "valid certificates lists" and inner workings of CRLs
I’m using OpenSSL to verify a signed code in a custom PKI. How can I verify the CRL of each node of the cert hierarchy.
My hierarchy is : RootCA -> SubCA1 -> SubCA2 -> EndUser. I can verify the CRL for one depth chain :
~/$… Continue reading openssl CLI – verify CRL of an entire certification chain
Is there any authoritative definition of the various reasons possible in a CRL file? Section 6.3.2(b) of RFC5280 lists a few:
unspecified
keyCompromise
cACompromise
affiliationChanged
superseded
cessationOfOperation
certifi… Continue reading Definitions for CRL Reasons
If a certificate is revoked before its expiry time and added to a CRL, is it removed from the CRL after the certificate validity period expires? RFC 5280 seems to imply this:
A complete CRL lists all unexpired certificates, within its sco… Continue reading Are revoked certificates removed from CRLs after expiration? Why is this secure?
I am having a problem about verifying a certificate against the CRL that was created by the same CA that created the certificate.
I have created my own certificate authority (CA) and an intermediate CA. By using this interme… Continue reading Verifying a certificate against a CRL via OpenSSL: Unable to get certificate CRL
I am having a problem about verifying a certificate against the CRL that was created by the same CA that created the certificate.
I have created my own certificate authority (CA) and an intermediate CA. By using this interme… Continue reading Verifying a certificate against a CRL via OpenSSL: Unable to get certificate CRL