Problems with CRL
seka
Date: 08/26/04
- Next message: John Kd: "Closing of Listen Socket"
- Previous message: Igor Markovic: "Re: XP Pro, IE 6.1: XEnroll "keyset does not exist""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Aug 2004 16:01:54 +0400
Hello!
I have the following problem using MS Security SDK:
I issued selfsigned root certificate, then issued user certificates signed
by root, then issued CRLs, revoking some of these certificates. All worked
OK.
Later I issued new selfsigned root certificate with the same SubjectName and
other serial number and other key. Then I issued new CRL and get a lot of
strange things:
1. Before I issued second root new CRL always replaced the old one. Now the
previous CRL issued by previous root remains in the store. And what is more
when I add entry in the new CRL it appears in the old one (I add CRL's using
function CertAddCRLContextToStore with flag
CERT_STORE_ADD_REPLACE_EXISTING). Is it normal?
2. Earlier all revoked certificates was recognized as revoked by function
CertGetCertificateChain. Now some of these certificates are not recognized
as revoked. And when I revoke certificate issued by old root, function
CertGetCertificateChain doesn't recognized it as revoked.
3. Then I removed old CRL from system store but situation became worse: some
of earlier revoked certificates are recognized as revoked though their
serial numbers are not contained in any CRL!
What did I do wrong? How can I issue a new selfsigned root certificate and
still be able to work with CRLs?
Thank you.
- Next message: John Kd: "Closing of Listen Socket"
- Previous message: Igor Markovic: "Re: XP Pro, IE 6.1: XEnroll "keyset does not exist""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
