AL
2005-02-09 12:10:17 UTC
Hello,
I have a problem with CRL checking - getting a
CRYPT_E_REVOCATION_OFFLINE even when I don't expect that, maybe I do
something wrong? Really need help.
My test:
I have a valid certificate; I perform a check by calling:
- CertCreateCertificateChainEngine passing a timeout value
(ChainConfig.dwUrlRetrievalTimeout) of 60 seconds
- then I find my cert with CertFindCertificateInStore
- and then call CertGetCertificateChain
I normally get pChainContext->TrustStatus.dwErrorStatus =
CERT_TRUST_NO_ERROR (ok); however, I wanted to test CRL fetching, so I
deleted the cached crl file from IE temporary internet files and
disconnected from the network.
Problem 1: validation was still successfull, but a new CRL was not
downloaded. There must be a caching of the CRL some place other than IE
temp.int.files, but where? Can I clear this cache?
Ok, I then changed my PC time - date brought forward by some days -, so
that it thinks revocation list is expired, and tries to get a new one.
Problem 2: After this, my app does fetch the crl (checked the CA IIS
log), but then gives me a CRYPT_E_REVOCATION_OFFLINE error! How is it
possible, is it a fault of mine?
In this case I get an unknown pChainContext->TrustStatus.dwErrorStatus
from the call to CertGetCertificateChain (16777280, what's that?), and
the subsequent call to CertVerifyCertificateChainPolicy gives me a
CERT_CHAIN_POLICY_STATUS dwerror of CRYPT_E_REVOCATION_OFFLINE.
Shouldn't I get some other error, e.g. not-time-nested?
Finally, I have a third problem in the production evironment.
Problem 3: even if I set a long timeout (60 seconds over the default of
20, following the article at
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx),
as timeout for CRL url fetching, and have a reachable CDP on a list of
two/three, revocation checking always gives a CRYPT_E_REVOCATION_OFFLINE
error.
Is it correct to delete some CDP (e.g. ftp and file, given I only need a
http endpoint) in order to let the check to perform more quickly?
If I change CDP at the CA I must revoke user certificates and assign new
ones, or is there a way to update them with the new list of CDPs?
And one last question: if two http CDP are listed, do cryptoapi verify
both of them, right? Say the former is an internal (intranet) url and
the latter a public one: I should be able to complete a crl check (from
outside the intranet) without getting the CRYPT_E_REVOCATION_OFFLINE
error (given the url is valid and there's no authentication needed),
right? I doubt all the timeout is spent of the first url, unreachable,
and that I get the error instead of trying the second. Is there a way to
trace this? Capimon does not seem to do this, does it?
Thank you for any help,
al.
I have a problem with CRL checking - getting a
CRYPT_E_REVOCATION_OFFLINE even when I don't expect that, maybe I do
something wrong? Really need help.
My test:
I have a valid certificate; I perform a check by calling:
- CertCreateCertificateChainEngine passing a timeout value
(ChainConfig.dwUrlRetrievalTimeout) of 60 seconds
- then I find my cert with CertFindCertificateInStore
- and then call CertGetCertificateChain
I normally get pChainContext->TrustStatus.dwErrorStatus =
CERT_TRUST_NO_ERROR (ok); however, I wanted to test CRL fetching, so I
deleted the cached crl file from IE temporary internet files and
disconnected from the network.
Problem 1: validation was still successfull, but a new CRL was not
downloaded. There must be a caching of the CRL some place other than IE
temp.int.files, but where? Can I clear this cache?
Ok, I then changed my PC time - date brought forward by some days -, so
that it thinks revocation list is expired, and tries to get a new one.
Problem 2: After this, my app does fetch the crl (checked the CA IIS
log), but then gives me a CRYPT_E_REVOCATION_OFFLINE error! How is it
possible, is it a fault of mine?
In this case I get an unknown pChainContext->TrustStatus.dwErrorStatus
from the call to CertGetCertificateChain (16777280, what's that?), and
the subsequent call to CertVerifyCertificateChainPolicy gives me a
CERT_CHAIN_POLICY_STATUS dwerror of CRYPT_E_REVOCATION_OFFLINE.
Shouldn't I get some other error, e.g. not-time-nested?
Finally, I have a third problem in the production evironment.
Problem 3: even if I set a long timeout (60 seconds over the default of
20, following the article at
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx),
as timeout for CRL url fetching, and have a reachable CDP on a list of
two/three, revocation checking always gives a CRYPT_E_REVOCATION_OFFLINE
error.
Is it correct to delete some CDP (e.g. ftp and file, given I only need a
http endpoint) in order to let the check to perform more quickly?
If I change CDP at the CA I must revoke user certificates and assign new
ones, or is there a way to update them with the new list of CDPs?
And one last question: if two http CDP are listed, do cryptoapi verify
both of them, right? Say the former is an internal (intranet) url and
the latter a public one: I should be able to complete a crl check (from
outside the intranet) without getting the CRYPT_E_REVOCATION_OFFLINE
error (given the url is valid and there's no authentication needed),
right? I doubt all the timeout is spent of the first url, unreachable,
and that I get the error instead of trying the second. Is there a way to
trace this? Capimon does not seem to do this, does it?
Thank you for any help,
al.