A Certificate Revocation List (CRL) is a blacklist of revoked or compromised serial numbers of certificates. As a serial number has no direct relationship to a certificate and can be fabricated in a compromised CA, it is considered a weak blacklist.
Questions tagged [crl]
69 questions
27
votes
4 answers
How do I check if my SSL certificates have been revoked
The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.
I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to…
sridhar pandurangiah
- 743
- 2
- 11
- 28
12
votes
1 answer
How to use Chrome's CRL sets (or some master CRL list) as a CRL file?
I am looking for a master CRL list. The closest thing I have found is the Chromium project's CRLSets. I used crlset-tools to get the crlset (crlset fetch > crl-set) and then dumped the serial numbers (crlset dump crl-set) so I see something like…
test
- 317
- 1
- 2
- 7
7
votes
1 answer
RDP connection to domain server from non-domain client prompts "A revocation check could not be performed"
I've got about 30 Windows 2008 R2 servers as members of a domain, and am attempting to configure the certificates part correctly for remote desktop access to those servers.
The catch is that the clients that need to connect to these servers are not…
growse
- 7,830
- 11
- 72
- 114
6
votes
0 answers
The revocation function was unable to check revocation because the revocation server was offline
I have a chain of certificates: MYROOTCERT -> MYCHILDCERT. The MYCHILDCERT certificate has a CRL distribution point extension:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
…
username
- 229
- 1
- 3
- 17
6
votes
2 answers
How to check multiple CRL lists with nginx client authentication?
I have a custom easyrsa setup with a root and three CAs signed by the root. (Three different sub-cas depending on the user type), like this:
RootCA
+----- AdminUserCA
+----- EmployeeCA
+----- ClientCA
I have authentication working with the…
ErebusBat
- 905
- 4
- 12
- 21
6
votes
2 answers
nginx proxy + ssl +clr "400 bad request" error
Here's the situation - there's a trasnparent nginx proxy that handles SSL certificates and does it well until we decide to add a revocation list management, required for security reasons. This is when the "ssl_crl" line comes in play and screws up…
Pavel Potatis
- 130
- 1
- 10
6
votes
3 answers
Can Windows log CryptoAPI CRL timouts?
I suspect that the process of building the CRL cache may cause latency in some applications.
We have several .NET applications that occasionally "act slow" with no CPU or disk access. I suspect that they are hung up on authentication when trying to…
makerofthings7
- 8,821
- 28
- 115
- 196
6
votes
1 answer
How large is the certificate OCSP and CRL cache in my Windows server?
How can I see the size of the in-memory OCSP cache to a CRL cache in my Domain Controllers?
In other words, most Windows process that uses CryptoAPIs have an in-memory cache of every CRL and OCSP relevant for that application. This is important…
makerofthings7
- 8,821
- 28
- 115
- 196
5
votes
1 answer
OpenSSL error while loading CRLnumber
I am unable to generate a CRL. I am probably missing something in the configuration file. The error I get is "openssl error while loading crl number."
Crl config section:
[ CA_default ]
# Directory and file locations.
dir =…
Moutabreath
- 53
- 1
- 1
- 7
4
votes
3 answers
openvpn: crl has expired?
We have an OpenVPN in our aws setup which was set up by a client and now they are not able to connect to open vpn say "crl has expired" .
We are trying to regenerate the crl but to do that we need to go to the easy-rsa folder and there I need to run…
Ganesh
- 41
- 1
- 2
4
votes
1 answer
OpenVPN revoke user - CRL verify issues
I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp…
dovla110010101
- 162
- 1
- 2
- 10
4
votes
0 answers
Active Directory Certificate Services cannot publish revocation list after renewal with new private Key
In summary:
I had a working offline root CA and an AD integrated CA working fine
I renewed the certificate with the same private key and all was good
I then renewed the certificate with a new private key and and I can no longer publish the…
Ross
- 133
- 1
- 11
4
votes
1 answer
How do I change the expiration of CRLs with OpenSSL?
I am currently experimenting with my self signed CA.
But in order for my devices to work I need a valid CRL.
I set the CDP to one of the CDN hosting providers.
As I have only 5 certificates issued I have little chance of getting one of them revoked,…
manatails
- 127
- 1
- 3
- 9
4
votes
1 answer
How to reload Certificate Revocation List (CRL) in nginx?
I have set CRL file in nginx with ssl_crl directive:
ssl_crl /mypath/crl.pem
However, I noticed that adding or removing revoked certificates from crl.pem apply only when I restart or reload nginx server.
What is best practice for this? Reloading…
bmihelac
- 143
- 1
- 5
4
votes
2 answers
Migrate an intermediate CA to a new root
Using the Microsoft CA is there any way to cut over to a new certificate authority from an intermediate authority?
Both my systems are Microsoft CAs - I have a 2008 R2 Enterprise CA (intermediate) and an old 2003 CA (root). The 2003 box bit the…
Tim Brigham
- 15,465
- 7
- 72
- 113