certificate-revocation

How does certificate revocation work with intermediate CA's?

情到浓时终转凉″ 提交于 2019-12-05 17:32:14
问题 Suppose a PKI hierarchy like below. root CA ==> inter-1 CA ==> user-1 \ \======> inter-2 CA ==> user-2 My question is: does root CA also need to periodically download CRL from its children: inter-1 and inter-2? Since user-1 and user-2 can authenticate each other, if user-2's certificate is revoked by inter-2, inter-2 should let root know and then propagate to inter-1 and user-1, right? If so, it seems quite complicated. Is there any tool to use for managing the revocation logic? Thanks a lot.

Howto create a certificate using openssl including a CRL distribution point?

筅森魡賤 提交于 2019-12-03 08:18:59
I'm having problems using openssl to create a x509 certificate containing a crl distribution point for testing. I've checked the documentation and found the configuration setting crlDistributionPoints for this purpose. Unfortunately openssl always generates x509 version 1 certificates without instead of version 3 certificates with the crl distribution point. I'm sure something is wrong with my command or the configuration but reading the documentation carefully and playing around with the configuration did not help. Other settings from the configuration file are considered so I'm sure the file

CRL and OCSP behavior of iOS / Security.Framework?

一世执手 提交于 2019-11-29 07:48:40
问题 I'm trying to figure out what iOS' policy is when verifying certificates using Security.Framework regarding revocation of certificates. I cannot find information about this in the docs for iOS. In the context of an iPad project I'm working on at the moment, there is reason to demand checking revocation status for some certs. Anyone ideas on how to force CRL / OCSP checking during cert verification using Security.Framework? Or do I need to "fall back" to OpenSSL to accomplish this? It seems

Java SSL Certificate Revocation Checking

倾然丶 夕夏残阳落幕 提交于 2019-11-28 09:29:56
I'm currently writing a network TCP server using SSL. In production, we'll finally require clients to authenticate with a certificate. In order to revoke certificates in case of a emergency, we would also like to establish a CRL. My question is: Does Java check CRLs (if provided with the certificate) out of the box or do I need to manually implement such checks? For testing, I prepared a certificate with a CRL set but Java does not seem to try to validate it (I dropped it into a local web server and there's no access). I only found the com.sun.net.ssl.checkRevocation=true VM option, but

Disabling certificate revocation checking for an application on Windows

放肆的年华 提交于 2019-11-27 14:35:32
问题 I have a .NET 3.5 desktop application that had been showing periodic slow downs in functionality whenever the test machine it was on was out of the office. I managed to replicate the error on a machine in the office without an internet connection, but it was only when i used ANTS performance profiler that i got a clearer picture of what was going on. In ANTS I saw a "Waiting for synchronization" taking up to 16 seconds that corresponded to the delay I could see in the application when

Java SSL Certificate Revocation Checking

落爺英雄遲暮 提交于 2019-11-27 05:51:15
问题 I'm currently writing a network TCP server using SSL. In production, we'll finally require clients to authenticate with a certificate. In order to revoke certificates in case of a emergency, we would also like to establish a CRL. My question is: Does Java check CRLs (if provided with the certificate) out of the box or do I need to manually implement such checks? For testing, I prepared a certificate with a CRL set but Java does not seem to try to validate it (I dropped it into a local web
订阅 certificate-revocation