Menu
▾
▴
Re: [Ejbca-develop] Problem when validating expired certificates
|
From: Tomas G. <to...@pr...> - 2016-07-04 06:46:53
|
Hi Tom, How are you trying to validate your certificates? The certificates themselves have nothing to do with the validity of CRLs and OCSP responses. CRLs and OCSP responses have their own validity period. From the messages you provide it looks like you have clock missmatch somewhere on the validating client. The only way CRLs or OCSP responses can have different validity for different certificates is if they are issued from different CAs for example. For example: > CRL has expired or is not yet valid Shows the _CRL_, not the certificate has an invalid validity time. The _CRL_ is the same (really the same file) regardless if a certificate you are trying to validate is revoked or not. Regards, Tomas ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 2016-07-01 17:55, Tom wrote: > Dear All, > > I have implemented a EJBCA CA with CRL and OCSP validation and have the > following problem: > > The expired certificates have error when trying to validate: > * CRL processing error > Issuer: c=XX, o=ABC, cn=abc.com > This update: 20160701105720Z > Next update: 20160702105720Z > CRL has expired or is not yet valid > > * OCSP response has expired or is not yet valid > > This problem does not occur with the revoked certificates, these are > validated correctly. > > Someone has an idea that can be causing this? > Thanks. > > Regards, > Enzo > > -- > Sent from ProtonMail <https://protonmail.com>. > > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
