Re: Possible to override CDP in Certificate?
From: Sergio Dutra [MS] (sergiod_at_online.microsoft.com)
Date: 09/16/03
- Next message: Sergio Dutra [MS]: "Re: WinVerifyTrust"
- Previous message: Sergio Dutra [MS]: "Re: Sergio & David: Just a couple more questions about CRLs"
- In reply to: Ohaya: "Re: Possible to override CDP in Certificate?"
- Next in thread: Ohaya: "Re: Possible to override CDP in Certificate?"
- Reply: Ohaya: "Re: Possible to override CDP in Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Sep 2003 07:55:23 -0700
1) The revocation checking code I refer to is part of CryptoAPI.
2) If some of the client certificates have a CDP, then the revocation
checking code will still look in the CA store first and, if a valid CRL is
found there, it will use that one.
3) The best doc that describes how we do revocation is
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/WinXPPro/support/tshtcrl.asp.
4) Certificate stores are typically in the registry, under HKCU or HKLM,
under SOFTWARE\Microsoft\SystemCertificates. The "MY" stores (current user
and local machine) are stored in the file system, under
%appdata%\Microsoft\SystemCertificates. NOTE: Do not modify the certificates
in these locations directly. Instead, use the CryptoAPI functions to
manipulate certificates and stores.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Ohaya" <ohaya@cox.net> wrote in message news:3F62429D.D1AC7370@cox.net... > Sergio, > > Thanks! > > I am really new to this, and have some followup questions that may seem > pretty dumb to you. I hope that you don't mind: > > 1) What is this "revocation checking code" that you mentioned? Is it in > CAPICOM? CryptoAPI? > > 2) What if some of the client certificates do have the CDP? For these > client certs that have the CDP, will the revocation checking code go > check the CDP/CRL as indicated in the CDP, instead of using the CRL from > the Intermediate Certification Authorities store? While the > certificates which don't have the CDP would get checked against the > store? > > 3) Can you point me to any docs that precisely describe how this > certification checking code functions? > > 4) Where (physically) is the Intermediate Certification Authorities > store? Is it on our machine running IIS? > > Thanks again! > > > > "Sergio Dutra [MS]" wrote: > > > > There is no method to override the CDP in a certificate. You can, however, > > download the corresponding CRL and install it in the current user or local > > machine Intermediate Certification Authorities (CA) store. The revocation > > checking code will first look in the CA store if the certificate being > > verified does not have a CDP. > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > "Ohaya" <ohaya@cox.net> wrote in message news:3F622D8C.97D212BA@cox.net... > > > Hi, > > > > > > We have an IIS-based website that has SSL and client auththentication > > > enabled. However, the client certificates that we are using are not > > > created or issued by us, and it turns out, these certificates do not > > > have the CRL Distribution Point (CDP) attribute, so when client > > > authentication occurs against the client certificates, CRL checking > > > doesn't take place. > > > > > > I've "heard" that is is possible, maybe in CAPICOM or something, to > > > override or set the CDP. > > > > > > Can anyone point me to how this might be done, especially in our (IIS) > > > environment? > > > > > > If not, what other options do we have for incorporating checking a CRL, > > > possibly programmatically from some ASP? > > > > > > Thanks in advance!!!
- Next message: Sergio Dutra [MS]: "Re: WinVerifyTrust"
- Previous message: Sergio Dutra [MS]: "Re: Sergio & David: Just a couple more questions about CRLs"
- In reply to: Ohaya: "Re: Possible to override CDP in Certificate?"
- Next in thread: Ohaya: "Re: Possible to override CDP in Certificate?"
- Reply: Ohaya: "Re: Possible to override CDP in Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
