Re: CRL Decode error
a...@novell.com
Hash: SHA1
First guess (also in the other place you asked:
Easiest fix: Create new certificates for your setup.
Possibly better fix: Setup a CRL at the point where your existing
certificates are sending iManager to find a Certificate Revocation List
(CRL) Distribution Point (DP). This can often be seen by going to Novell
Certificate Access, Server Certificates, and the Key Material Object
(KMO), clicking on its name, then clicking on 'CRL Distribution Points'
under Extensions, and figuring out which of the options there are
something you can fill in. I know iManager will use LDAP at times to
reach the CRL DPs but if you have HTTP options then those can be
recreated. All you need is to put a CRL at the location specified (test
with a regular web browser) and that will hopefully be enough.
Good luck.
pzzelenewicz wrote:
> I recently has my CA server completely crash and die. It was NW65SP8
> with eDir 87310(latest patch).
> I deleted the CA object and re-created it on a new server
> (OES2SP1/SUSE10.2 - 32bit) and imported the CA cert which I had
> previously backed up (as per TID 3618399). This also created a new CRL
> object.
> As the dead server was due for replacement, I rebuilt it on new
> hardware with OES2SP1/SUSE10.2 (32bit) and all seemed good...but... when
> I try to validate the "SSL CertificateIP" or "SSL CertificateDNS" using
> either iManager2.7 or consoleone the TrustedRoot validates ok but the
> Public Key Cert shoots back a "CRL Decode Error". All other server certs
> in the tree validate ok. Also all aplications using the server cert (in
> DER format) for SSL-LDAP still work fine.
> I have a good tape backup of the dead box should I need to recover
> anything.
>
> Thanks in advance.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIcBAEBAgAGBQJKTD9uAAoJEF+XTK08PnB5jUkP/3dHJvD33nQGzYlLk/LOb7EJ
dYeC3JD+GFuH4oMnAoBs4Ep0jGcic8Qk3znlhH2EMM2L+gtDEAMBdXfYmuePZIGy
bjc9yYSTpkRw/fbnJjlGUUqQS+kbY1jHEpKZTV+q0fnAZuzvyIS4I8F7+oDtqk0X
qU0hP796cmAWBwYNlqOfCHP6XqOM2JLu3ea1lWOOluCDES8MSXYEKVmJyYD4PM3+
xdDzilqLCBs7Hk7kZyFGZj+Tcdfd/+6WYpORatVLgSOhjrKDPreUISp8WvULvIoQ
C5SUbvWxDzI9X7VBExKP36o37dDV8kp8jP4JT6abNKvZ8+UgIUGIm4CWdXMAocpv
WHSuz2Gw+5sHo5IMsBBQ9OIbmDM2kBz6R3ZoZwWE23jiFeU7LgwRtA+pZ47XJmMU
dW3HDsJHN9licwdY0ZbiIsLnnr3A/dLZS2odprlSrDV4AFfzbgr9wRXmdJznzojf
AZOOMXhlb1lUqXXoN1uQckxSaj/szuErvPKMLUjNRCB0+GMPO3pba2PYiSa1wepc
xCR0iUXRBhCQPqQsqND0GqdwwA39LXmvEdtZ1LhfMOrKHDnyKiVQtW5jJ+G+rPDv
GsmSuL4RunHK/oxhUaA5jAADm2fUk6JYj6wF78mz3+8mdfOD3ALrDtqb/BZ9Y1+g
8ILWIHXRSeRHKlyfkzH6
=9O66
-----END PGP SIGNATURE-----
Edward van der Maas
> *If I "Repair Default Certificates" for the server with
> the current issue, will it then point to the correct CRL point and
> more importantly, will existing applications using a cert to that
> server still function?
I'd repair the default certs. Do you use the revocation list at all ?
--
Cheers,
Edward
a...@novell.com
Hash: SHA1
If your certificates have CRL DP's defined you MUST provide them or
anything that is smart and checking them will fail. With that said the
problem here is often that your server that died had nameA and now your
new server has nameB so namea.yourcompany.tld does not resolve anymore.
Can you put something at namea.yourcompany.tld? Sure. If you are using
DNS in the pointer to your DPs then just configure your DNS to point to a
new DP on an existing server and make sure that DP exists properly and the
CRL is there and downloadable (browser test). Also make sure the LDAP DPs
exist and work properly.
Why do some certificates have these while others to not? You likely did
not have DPs setup at one point but did later on when you created the
newer certificates (or at least that's a common case).
Deleting/recreating all certificates on both sides could help and be
faster, but it depends on your needs. Technically EVERY PKI setup should
have CRLs and CRL DPs defined because otherwise when you lose your private
key you cannot revoke all of the certificates out there so customers are
exposed to the crackers who get their traffic and masquerade as you.
Good luck.
Paul Zelenewicz wrote:
> Hi ab,
> Thanks so much for the quick response. Sorry for the long winded list of
> questions:
>
> When you say "create new certificates for your setup" are you referring
> to the server certificates in question or the actual CA certificate?
> As per your suggestion I looked at the CRL points configured for the
> certs and they were pointing to an invalid location.
> Curiously, any other server cert in my tree does not have the "CRL
> Distribution Points" extension. I also looked at the CRL config of our
> IDM tree and while the CRL object exists, there is no configured CRL
> distribution points. So...... (here comes the stoopid questions)
>
> *Do I actually require CRL distribution points configured within the CRL
> object?
> *If I "Repair Default Certificates" for the server with the current
> issue, will it then point to the correct CRL point and more importantly,
> will existing applications using a cert to that server still function?
>
> Thanks again for bearing with me.
>
> Cheers.
iQIcBAEBAgAGBQJKTLb2AAoJEF+XTK08PnB5YVwQAIOWRuueIY50w/0v+jt62Oqu
g96Bv24TvJ4PuT+4yfum8ixGq8xk3bq8fYCPBOrqBrT7Ii9wVlhnJ6daiBNHJHwY
be5zFd/EV8XeneIKmMF8uUYKKahBFONh1Ji/tKUODYsgHcI9xX80/4t1I2+1nTKc
bFlVikFzdWq2rW3bzxZTFeLu0XQcoj22boL+cJ5qEZGuU1gQztjBzdAJfk8fg3Nw
PnVgjUdBJrOj39wGHyCcfXsSEfHEfJoQrywaAMyjvRqDro00Mwq5EFzVObOhuz4a
0BWU4S7zzp1TmobCjT6+zEvOdWzu3Dv+iVElU0I0rafxtJdrMAaLQaN4mmZz8wh+
AFsY+2xWEzStD4nGh2OzMXFr2v1V6WuygLjuddWH6k3UNpRZe5X1Vq9sVfUnqDMu
AmBskp2shW0w1fpkbTcQZFfbkh5H9xaUcb2a949W3lYTrcy1jEw9TLmysNRnknQB
TTI8XKw6B7tM2LWtZbLrJsgonMRQqa0aiojH9yWLTLzuF2ZMLaxbokFJuNrWl5Ja
TlYML+dxMlT/BJznpd1tyEWsMSf/iS4EW4uujhspzKjiSE45f5HCf4mwpIyW5AIm
GrFmWdInrwso5dPHJLFP1JyANdWN9t/NHJgbKfDZYij1TQxZjBgI1gQCLRjXRxe+
nsd29YcVItEO0M8tL3J0
=e+rt
-----END PGP SIGNATURE-----
a...@novell.com
Hash: SHA1
So do the DPs that are defined on the existing certificates point to URLs
(LDAP and/or HTTP) that can be resolved and end up in a file being retrieved?
Good luck.
Paul Zelenewicz wrote:
> Hi ab,
> The new server has the same DNS name.
> I suspect that when I created the new CA that this was the first time
> that CRL DPs were ever configured.
>
> Cheers.
iQIcBAEBAgAGBQJKTTlzAAoJEF+XTK08PnB5CbAP/jF7ubSENG4tzqXN6yLuD2uk
0GxLo+dIPWtMSbK/VIkUJXXMM813ODit9kbxU0QNOJlGDVOm4bAnheuZ7qzHWdIO
RJzK5aXuzDfgUg+nz0Opjl9z5mF0+qrqX8pxx/fX8Km1S4YQ5jRlWOTHIBy+fpm2
2Cp7jR2fbgcKH7p+uViEAGjbEI5Yg+Yf/qLWkCAPC1tyQAjhntK4K7V2kImhD4c6
8NKN8+kwdvE9CjCwm6U64lOyEbSnHG5TkCIn9RO1sHjqEo0vScYyaGAO/lAr1lAB
fHsGH4KFeEKaYkrMjeBL2skfEf6b8nhvHwawE6MUjeCBYmDurdXKQjHuB0uNZX02
w1yhhs+NoetzdBuAPKntx6S5lDlCiY6ebPVAK9yVGGhi9txlmyrKlCH34Npr0fb0
28jLTF5Y1xhchdV/Hp7Shlvb85H+954gpivkGynZLwJhbbnUf/bGR6TL3ipTkuL1
c1AImFjqZRZai9Xh2DesCiyZGjcQV8rXPsajS8azMKQIutG6yRWVmmqHCczL6ahY
BGRLVnsdT03G+LHZ0PWybF2ZQFqluQT4fWXyC57t+LevSHwVdyECqzx+CnFTYOk7
qBmxIz4WM6JyMUjr3jWEee2zi0EXAzNM7+6e8quMc1q1oOzWl07ZdZFGdZ0BJTUK
ppySVo8r789JlN2FfrV9
=mpti
-----END PGP SIGNATURE-----
Edward van der Maas
> Hi Edward,
> I've never used the revocation list before.
> My understanding is that if I repair default certificates for
> "server1" then anything currently using "server1.der" for LDAP will
> still work as it is based on the same trusted root. Is that correct?
Nothing will break if you repair the default certs. Most applications
read the certs when being started up so when you restart your server
the new certs will be read.
--
Cheers,
Edward
Edward van der Maas
> I still was unable to create edir-edir certs with the IDM plugin
> through iMan,
I tend to use designer for that. One click and its done :)
--
Cheers,
Edward