Re: EAP-TLS CRL problem - a PKIX guru around?
Hi Stefan, Had some CRL problems back in the day, with Apache 2.2 and Apache 2.4 behaving differently (I believe the change is in Apache 2.3, and I will have a whole blog post about this in the BBC internet blog soon). Have a look at the RFC (), under "6.3.3. CRL Processing", specifically: (b) Verify the issuer and scope of the complete CRL as follows: ... (2) If the complete CRL includes an issuing distribution point (IDP) CRL extension, check the following: (i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP. So I think this, in your CRL: X509v3 Issuing Distrubution Point: Full Name: URI:https://www.restena.lu/restena-staffauth.crl ...and this in your Cert... X509v3 CRL Distribution Points: Full Name: URI:https://www.restena.lu/ca/restena-root.crl ...might have to match. Let me know if this helps! Nikos
participants (1)
-
tsouk