Re: Possible to override CDP in Certificate?

From: Ohaya (ohaya_at_cox.net)
Date: 09/13/03 

Date: Fri, 12 Sep 2003 18:03:09 -0400

Sergio,

Thanks!

I am really new to this, and have some followup questions that may seem
pretty dumb to you. I hope that you don't mind:

1) What is this "revocation checking code" that you mentioned? Is it in
CAPICOM? CryptoAPI?

2) What if some of the client certificates do have the CDP? For these
client certs that have the CDP, will the revocation checking code go
check the CDP/CRL as indicated in the CDP, instead of using the CRL from
the Intermediate Certification Authorities store? While the
certificates which don't have the CDP would get checked against the
store?

3) Can you point me to any docs that precisely describe how this
certification checking code functions?

4) Where (physically) is the Intermediate Certification Authorities
store? Is it on our machine running IIS?

Thanks again!

"Sergio Dutra [MS]" wrote:
>
> There is no method to override the CDP in a certificate. You can, however,
> download the corresponding CRL and install it in the current user or local
> machine Intermediate Certification Authorities (CA) store. The revocation
> checking code will first look in the CA store if the certificate being
> verified does not have a CDP.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> "Ohaya" <ohaya@cox.net> wrote in message news:3F622D8C.97D212BA@cox.net...
> > Hi,
> >
> > We have an IIS-based website that has SSL and client auththentication
> > enabled. However, the client certificates that we are using are not
> > created or issued by us, and it turns out, these certificates do not
> > have the CRL Distribution Point (CDP) attribute, so when client
> > authentication occurs against the client certificates, CRL checking
> > doesn't take place.
> >
> > I've "heard" that is is possible, maybe in CAPICOM or something, to
> > override or set the CDP.
> >
> > Can anyone point me to how this might be done, especially in our (IIS)
> > environment?
> >
> > If not, what other options do we have for incorporating checking a CRL,
> > possibly programmatically from some ASP?
> >
> > Thanks in advance!!!

Relevant Pages

  • Re: Possible to override CDP in Certificate?
    ... Can I use the Certmgr.exe to do what you suggested (import a .CRL into ... > 2) What if some of the client certificates do have the CDP? ... > the Intermediate Certification Authorities store? ...
    (microsoft.public.platformsdk.security)
  • Re: Possible to override CDP in Certificate?
    ... > Can I use the Certmgr.exe to do what you suggested (import a .CRL into> the Intermediate CA store)? ... Can you provide the> exact command line for doing this, assuming that the .CRL was named ... >> 2) What if some of the client certificates do have the CDP? ...
    (microsoft.public.platformsdk.security)
  • RE: renewing web certificates
    ... Only a single CDP and AIA path are required in issued certificates ... no paths are required in the Root CAs certificate). ... request a new sub ca cert hopefully installing a new cert with only the ...
    (microsoft.public.windows.server.general)
  • Re: Possible to override CDP in Certificate?
    ... The revocation checking code I refer to is part of CryptoAPI. ... If some of the client certificates have a CDP, ...
    (microsoft.public.platformsdk.security)
  • Re: Possible to override CDP in Certificate?
    ... There is no method to override the CDP in a certificate. ... download the corresponding CRL and install it in the current user or local ... the client certificates that we are using are not ...
    (microsoft.public.platformsdk.security)