Problems with CRL after renewal

seka
Date: 09/24/04

• Next message: Juan Segarra: "Problems importing a pkcs#12 with a custom store provider"
• Previous message: Phil Ten: "Re: CryptAcquireContext fails with error 6 (The handle is invalid)"
• Next in thread: David Cross [MS]: "Re: Problems with CRL after renewal"
• Reply: David Cross [MS]: "Re: Problems with CRL after renewal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 24 Sep 2004 14:58:25 +0400

Hello!
I am developing specialized CA and I meet problems while issueing CRLs after
renewal.
Before renewal I could revoke any issued certificate and function
CertGetCertificateChain shows that it is revoked.
Then I've issued new CA certificate with new key. Then I do the following: I
support two CRL - for old CA certificate and for new CA certificate. If I
need to revoke the certificate issued by old CA certificate I add it to old
CRL signed by old key. If I need to revoke the certificate issued by new CA
certificate I add it to new CRL and sign by new key. But I have the problem:
function CertGetCertificateChain recognize as revoked only those certificate
that are contained in the CRL that was updated last. And certificates
contained in the another CRL are not recognized as revoked. If I reissue
this CRL without adding new certificate to it situation chenges -
certificates listed in it becomes revoked (function CertGetCertificateChain
shows it) but certificates listed in another CRL becomes valid!
Where is my fault?
Thank you.
P.S. I follow recomendation of article Certification Authority Renewal from
MSDN and support the CA Version extension and Authority Key Id extension.

---

• Next message: Juan Segarra: "Problems importing a pkcs#12 with a custom store provider"
• Previous message: Phil Ten: "Re: CryptAcquireContext fails with error 6 (The handle is invalid)"
• Next in thread: David Cross [MS]: "Re: Problems with CRL after renewal"
• Reply: David Cross [MS]: "Re: Problems with CRL after renewal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Certificate revokation ... Is there a way to revoke a certificate and that the revokation will be ... > delta CRL that can be published every few hours with only the changes ... As long as it is valid clients can cache it and use ... (microsoft.public.windows.server.security) Re: Certificate Question ... Client can use any cached CRL as long as it is valid. ... The other thing you can do is design your Base and Delta CRL ... Once the client gets new CRL it will not allow use of that certificate ... > I need to revoke a certificate because a user has left the company. ... (microsoft.public.windows.server.security) Re: Problems with CRL after renewal ... recognize a CRL as being authoritative for a given CA ... > Before renewal I could revoke any issued certificate and function> CertGetCertificateChain shows that it is revoked. ... > MSDN and support the CA Version extension and Authority Key Id extension. ... (microsoft.public.platformsdk.security) Re: Certificate revokation ... > Is there a way to revoke a certificate and that the revokation ... The revocation will be in effect when you issue the first CRL after ... (microsoft.public.windows.server.security) Re: Certificate Question ... You may get clients that do not get a new CRL ... > Client can use any cached CRL as long as it is valid. ... > There is no harm in deleting certificate that was revoked, ... >> I need to revoke a certificate because a user has left the company. ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2004-09