none
Indirect CRL

    Question

  • Hello!

    I need to check certificate by means of certutil.exe (for test purposes). Unfortunately there is an indirect CRL in our PKI. So I have: root certificate (installed in Trusted Root CA), CRLIssuer certificate (installed in Indermediated CA, root is the issuer) and client certificate (root is the issuer). All the extensions, such as IDP, CRLIssuer in CRL; CDP in certificates seems to be OK. When I use the command:

    certutil -verify -urlfetch client.cer

    I get the message 'Wrong Issuer “Base CRL (1503)” ' and error code 80092013.

    OS Win 7 Pro, Server 2008. I get the same result.

    Is it possible at all to verify certificate with indirect CRL in cRLDistributionPoints? I'll appreciate any help.

    Regards, Marina.


    • Edited by mari_li Friday, December 27, 2013 8:05 AM
    Wednesday, December 18, 2013 10:17 AM

All replies

  • Hi,

    what is a  indirect CRL? Can you give me an example?

    Thank you,

    Lutz

    Friday, December 20, 2013 4:30 PM
  • @ Lutz

    Quote: "One way to determine if a CRL is an Indirect CRL is to examine the examine the Indirect CRL component in the Issuing Distribution Point extension. If it is set to TRUE, then the CRL may contain revocation information from multiple sources."

    For more detials, here is an article:http://goo.gl/eixwpl

    Thanks!


    Andy Altmann
    TechNet Community Support


    Saturday, December 21, 2013 8:12 AM
  • Hello, Lutz!

    Thanks for your answer. So, extensions of my certificates and CRL below.

    CRL Extensions

    Issuer:
    	SERIALNUMBER=ca-crl_issuer
            CN=IndirectCRLIssuer
    	C=RU
    	O=SomeOrg
    IDP:
    	distirbutionPoint
    		Full Name:
                 		URL=http://demo.ru/netstore/crl/indirect.crl
    	onlyContainsUserPublicKeyCerts = false
    	onlyContainsCACerts = false
    	indirectCRL = true

    CRL Issuer certificate extensions

    Subject:
    	SERIALNUMBER=ca-crl_issuer
            CN=IndirectCRLIssuer
    	C=RU
    	O=SomeOrg

    End-user certificate extensions

    Issuer: SERIALNUMBER=root CN=Root C=RU O=SomeOrg

    CDP:

    [1] CDP

    distirbutionPoint Full Name: URL=http://demo.ru/netstore/crl/indirect.crl cRLIssuer

    Directory Address:

    SERIALNUMBER=ca-crl_issuer CN=IndirectCRLIssuer C=RU O=SomeOrg

    Where am I wrong?

    Regards, Marina.







    • Edited by mari_li Tuesday, December 24, 2013 1:42 PM
    Tuesday, December 24, 2013 9:18 AM
  • Andy, thank you for your reply.

    "One way to determine if a CRL is an Indirect CRL is to examine the examine the Indirect CRL component in the Issuing Distribution Point extension. If it is set to TRUE, then the CRL may contain revocation information from multiple sources."

    I know this. But I do so and get the error 'Wrong Issuer “Base CRL"'  as a result of verifying:) The extensions of my certificates are above - maybe I miss something?

    Regards, Marina.


    • Edited by mari_li Tuesday, December 24, 2013 10:34 AM addition
    Tuesday, December 24, 2013 9:28 AM
  • Hi,

    to verify if cert can passs the cert revocation checking, actually, we should run the command below.

    certutil -verify -urlfetch test.cer


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, December 25, 2013 9:26 AM
  • Thanks, Jason. Sorry, I've made a mistake in the first post.

    Certainly, my command looks like:

    certutil -verify -urlfetch client.cer

    I can't understand where is a problem. If (IDP.indirectCRL = true)  and (IDP.distributionPoint.fullName == [1]CDP.fullName) everything should be OK according to recommendation X.509.

    Here is also the passage from the article of Microsoft Security TechCenter "Troubleshooting Certificate Status and Revocation":

    "If the IDP extension is present, CryptoAPI compares the names in the IDP and CDP extensions. If a successful match is made on a single name form, the CRL will be considered as valid for the certificate being validated."

    Wednesday, December 25, 2013 12:30 PM
  • Hello!

    This end-user certificate with indirect CRL is verified successfully by means of OpenSSL. Strange enough. Maybe I should install CRLIssuer certificate in some other store (not 'Intermediated CA')?

    Thank in advance.


    • Edited by mari_li Tuesday, January 28, 2014 10:03 AM
    Thursday, January 09, 2014 6:28 AM