Certificates and CRLs

[paul.baldwin]

I'm using an internal Windows 2003-based PKI which
publishes CRLs to a Web site. All issued certificates have
the location of this Web site. Whenever I access Web sites
using SSL certificates issued by this PKI I get:

"Revocation information for the security certificate for
this site is not available. Do you want to proceed?"

Yet the logs for the Web site show the client has
successfully downloaded the .crl file. The clients are
fetching the .crl file but fail to do anything with it.

What's up?

Using IE6 on Windows XP/2003. Commercial SSL sites do not
cause this problem.

Cheers

 

[David Cross [MS]]

Is the root CA trusted on the client that is the parent of the issuing CA?
are the CRLs available for the entire chain?

http://www.microsoft.com/technet/tr...hnet/prodtechnol/WinXPPro/support/tshtcrl.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"(e-mail address removed)"

 

[Paul Baldwin]

Thanks David,

Root CA certificate is installed. Just to be sure I
installed it into the Computer store (Trusted Root CA)
along with the Issuing CA certificate (Intermediate CA
store). The clients do not complain about untrusted
certificates.

Certificates have an AIA configured and the client does
download the Issuing CA certificate along with its CRL
(according to IIS logs), but it doesn't go on to download
the Root CA CRL file which is also accessible (location is
configured in the Issuing CA's certificate). Just to be
sure I imported the Root CA CRL and the Issuing CA CRL
into the client's Computer store too! Nothing.

Somewhere along the line IE6 doesn't appear to think these
CRLs are valid (Win2K3 CAs creates then), yet it has no
problem with some commercial SSL sites I've tried.

Cheers

Paul

-----Original Message-----
Is the root CA trusted on the client that is the parent of the issuing CA?
are the CRLs available for the entire chain?

http://www.microsoft.com/technet/treeview/default.asp? url=/technet/prodtechnol/WinXPPro/support/tshtcrl.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"(e-mail address removed)"

I'm using an internal Windows 2003-based PKI which
publishes CRLs to a Web site. All issued certificates have
the location of this Web site. Whenever I access Web sites
using SSL certificates issued by this PKI I get:

"Revocation information for the security certificate for
this site is not available. Do you want to proceed?"

Yet the logs for the Web site show the client has
successfully downloaded the .crl file. The clients are
fetching the .crl file but fail to do anything with it.

What's up?

Using IE6 on Windows XP/2003. Commercial SSL sites do not
cause this problem.

Cheers

.