Help! invalid CRL denies access
Ron Madrid
NT.
I have a user that is attempting to access our web site.
She has a valid certificate.
When she get to the site a pop-up window says that her CRL is invalid or
out of date and will not let her continue.
If she goes to our certificate authority to import the latest CRL she is
denied access for the same reason.
Our web site requires client and host authentication but the certificate
authority server only does host authentication.
Any ideas about what is going wrong or how to fix it?
Nelson B. Bolyard (At Home)
Here are some suggestions:
1. Attempt to "export" all her cert/key pairs, both current and past, one
at a time, into PKCS#12 (.p12) files. (I'm guessing you know how to do that.)
2. Exit the browser. Make sure it's not running any more.
3. rename the cert7.db and key3.db files to cert7.old and key3.old.
4. restart the browser. It will create new cert and key db files.
Those files won't contain any old CRLs, or your CA cert.
5. create a password for the key db file. Click on the Security button
in the browser window, or the little lock icon in the lower left hand
corner of just about any Communicator window. This will bring up the
security advisor window, which has a left frame and a right frame, much
like the preferences panel has. Then click on the word "Passwords" in the
left frame. The right frame will then offer a way to set your password.
6. "import" all those cert/key pairs from those PKCS#12 files you created
in step 1.
7. You may have to re import your CA cert from the CA server.