Re: Problems with CRL after renewal

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 09/27/04

  • Next message: Ale: "CAPICOM still not working on SmartCard" 
    Date: Mon, 27 Sep 2004 05:16:14 -0700

    I think you would have to provide more information as CryptoAPI would never
    recognize a CRL (even with same name) as being authoritative for a given CA
    if it was signed by a different key than the key used to sign the CA cetr.

    http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx 

    -- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
<seka> wrote in message news:e4QaUVioEHA.3552@TK2MSFTNGP15.phx.gbl...
> Hello!
> I am developing specialized CA and I meet problems while issueing CRLs 
> after
> renewal.
> Before renewal I could revoke any issued certificate and function
> CertGetCertificateChain shows that it is revoked.
> Then I've issued new CA certificate with new key. Then I do the following: 
> I
> support two CRL - for old CA certificate and for new CA certificate. If I
> need to revoke the certificate issued by old CA certificate I add it to 
> old
> CRL signed by old key. If I need to revoke the certificate issued by new 
> CA
> certificate I add it to new CRL and sign by new key. But I have the 
> problem:
> function CertGetCertificateChain recognize as revoked only those 
> certificate
> that are contained in the CRL that was updated last. And certificates
> contained in the another CRL are not recognized as revoked. If I reissue
> this CRL without adding new certificate to it situation chenges -
> certificates listed in it becomes revoked (function 
> CertGetCertificateChain
> shows it) but certificates listed in another CRL becomes valid!
> Where is my fault?
> Thank you.
> P.S. I follow recomendation of article Certification Authority Renewal 
> from
> MSDN and support the CA Version extension and Authority Key Id extension.
>
>
  • Next message: Ale: "CAPICOM still not working on SmartCard"

    Relevant Pages

    • Re: Certificate revokation
      ... Is there a way to revoke a certificate and that the revokation will be ... > delta CRL that can be published every few hours with only the changes ... As long as it is valid clients can cache it and use ...
      (microsoft.public.windows.server.security)
    • Re: Certificate Question
      ... Client can use any cached CRL as long as it is valid. ... The other thing you can do is design your Base and Delta CRL ... Once the client gets new CRL it will not allow use of that certificate ... > I need to revoke a certificate because a user has left the company. ...
      (microsoft.public.windows.server.security)
    • Re: Certificate revokation
      ... > Is there a way to revoke a certificate and that the revokation ... The revocation will be in effect when you issue the first CRL after ...
      (microsoft.public.windows.server.security)
    • Re: Certificate Question
      ... You may get clients that do not get a new CRL ... > Client can use any cached CRL as long as it is valid. ... > There is no harm in deleting certificate that was revoked, ... >> I need to revoke a certificate because a user has left the company. ...
      (microsoft.public.windows.server.security)
    • Re: Thawte Digital Certificate Revocation List Issue
      ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
      (microsoft.public.security)