Re: Possible to override CDP in Certificate?
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 09/13/03
- Next message: Ohaya: "Sergio & David: Just a couple more questions about CRLs"
- Previous message: Ohaya: "Re: Possible to override CDP in Certificate?"
- In reply to: Ohaya: "Re: Possible to override CDP in Certificate?"
- Next in thread: Sergio Dutra [MS]: "Re: Possible to override CDP in Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Sep 2003 07:19:31 -0700
This might help to answer some questions:
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Ohaya" <ohaya@cox.net> wrote in message news:3F625979.EAAE0DE6@cox.net... > Sergio, > > Can I use the Certmgr.exe to do what you suggested (import a .CRL into > the Intermediate CA store)? Can you (or anyone else here) provide the > exact command line for doing this, assuming that the .CRL was named > "test.crl"? > > Thanks again! > > > > Ohaya wrote: > > > > Sergio, > > > > Thanks! > > > > I am really new to this, and have some followup questions that may seem > > pretty dumb to you. I hope that you don't mind: > > > > 1) What is this "revocation checking code" that you mentioned? Is it in > > CAPICOM? CryptoAPI? > > > > 2) What if some of the client certificates do have the CDP? For these > > client certs that have the CDP, will the revocation checking code go > > check the CDP/CRL as indicated in the CDP, instead of using the CRL from > > the Intermediate Certification Authorities store? While the > > certificates which don't have the CDP would get checked against the > > store? > > > > 3) Can you point me to any docs that precisely describe how this > > certification checking code functions? > > > > 4) Where (physically) is the Intermediate Certification Authorities > > store? Is it on our machine running IIS? > > > > Thanks again! > > > > "Sergio Dutra [MS]" wrote: > > > > > > There is no method to override the CDP in a certificate. You can, however, > > > download the corresponding CRL and install it in the current user or local > > > machine Intermediate Certification Authorities (CA) store. The revocation > > > checking code will first look in the CA store if the certificate being > > > verified does not have a CDP. > > > > > > -- > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > Use of included script samples are subject to the terms specified at > > > http://www.microsoft.com/info/cpyright.htm > > > "Ohaya" <ohaya@cox.net> wrote in message news:3F622D8C.97D212BA@cox.net... > > > > Hi, > > > > > > > > We have an IIS-based website that has SSL and client auththentication > > > > enabled. However, the client certificates that we are using are not > > > > created or issued by us, and it turns out, these certificates do not > > > > have the CRL Distribution Point (CDP) attribute, so when client > > > > authentication occurs against the client certificates, CRL checking > > > > doesn't take place. > > > > > > > > I've "heard" that is is possible, maybe in CAPICOM or something, to > > > > override or set the CDP. > > > > > > > > Can anyone point me to how this might be done, especially in our (IIS) > > > > environment? > > > > > > > > If not, what other options do we have for incorporating checking a CRL, > > > > possibly programmatically from some ASP? > > > > > > > > Thanks in advance!!!
- Next message: Ohaya: "Sergio & David: Just a couple more questions about CRLs"
- Previous message: Ohaya: "Re: Possible to override CDP in Certificate?"
- In reply to: Ohaya: "Re: Possible to override CDP in Certificate?"
- Next in thread: Sergio Dutra [MS]: "Re: Possible to override CDP in Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
