Menu

#20 CRL Generation problem for Netscape

closed
nobody
None
5
2003-11-24
2003-11-20
pasi koistinen
No

Setup:
- XCA 0.4.5
- Netscape 7.1

Preceding work phases:
- Created a root CA with 4k key
- Created user certificates witn 1k and 2k keys
- Revoked some of the certificates
- Generated a CRL
- Exported the CRL in PEM and DER format

Problem:
The generated CRLs (PEM and DER) work fine with
windows (IE). The operating system recognizes the CRLs
and is quite happy with them.

Netscape accepts only DER encoded CRLs.
However, Netscape 7.1 gives an error message when
importing the CRL:
"The browser cannot import the CRL.
New CRL has an invalid format.
Please ask your administrator for assistance."

Maybe the problem is caused by Netscape. However, I
managed to get DER encoded CRLs working with earlier
versions of XCA but not anymore. The problem has been
tested on several workstations running the same version
of Netscape.

The DER-encoded CRL is here as an attachment, please
have a look.

Discussion

  • pasi koistinen

    pasi koistinen - 2003-11-20

    Test CRL for demonstration. Try with Netscape 7.1

     
    testDER.crl

  • Christian Hohnstaedt

    Christian Hohnstaedt - 2003-11-24

    Logged In: YES
    user_id=609294

    solved in CVS by changing
    GENERALIZEDTIME to UTCTIME

     

  • Christian Hohnstaedt

    Christian Hohnstaedt - 2003-11-24
    • status: open --> closed
     

  • Nobody/Anonymous

    Nobody/Anonymous - 2003-11-24

    Logged In: NO

    Thank you Chris. I hope the new release is on the way soon so
    that I can generate a working CRL soon.

    Keep up the *great* work!