How to fetch CRLs from distribution points
来源:互联网 发布:淘宝标题怎么写好 编辑:程序博客网 时间:2024/06/05 00:15
http://support.microsoft.com/kb/289749
Q1: What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.The following are examples of CDP entries:Q2: When does IIS 5.0 retrieve a CRL?[1]CRL Distribution Point Distribution Point Name:Full Name:URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=rte,DC=microsoft,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint[2]CRL Distribution Point Distribution Point Name:Full Name:URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crl[3]CRL Distribution Point Distribution Point Name:Full Name:URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crl
A2: Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true:Q3: If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location?
- The CRL of the certificate is not contained in the IIS 5.0 cache.
- The effective date of the CRL in the IIS 5.0 cache has passed.
A3: No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.
Q4: Are the contents of each CRL at each CRL distribution point downloaded and combined?
A4: No. Only one CRL is downloaded.
Q5: Are CRLs stored on the computer that is running IIS 5.0?
A5: Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.Q6: How are CRLs identified? That is, what extension do CRL files use?
A6: CRLs use a .crl extension. For example, CRLFileName[1].crl.
Note The FileName is listed in the CRL distribution point on the certificate.
Q7: What occurs if IIS 5.0 cannot find one of the CRLs?
A7: By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point:Q8: What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?
- HTTP
- Lightweight Directory Access Protocol (LDAP)
- File
A8: Yes, you receive the same error message in both scenarios. You receive the following error message:HTTP 403.13 Forbidden: Client certificate revoked
The page requires a valid client certificate
Q9: You experience one of the following symptoms:A9: Both these scenarios are related to the same issue. IIS 5.0 still uses a cached CRL that has not passed its effective date. For more information, see "Q2: When does IIS 5.0 retrieve a CRL?”.
- You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
- You revoke a certificate and republish the CRL. However, IIS 5.0 still lets users locate a Web site by using the revoked certificate.
Q10: Is it possible to force the cached CRL to update?
A10: You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed.
All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations:For additional information about certificates and about caching, visit the following Microsoft Web site:
- Memory
All retrieved certificates are cached in memory.- CA Store
All certificates that are retrieved from any WinInet-supported URLs, such as HTTP, FTP, LDAP, and FILE by using the Authority Information Access (AIA) extension are cached in the CA store.- Local file system
If the retrieval URL is ldap://, ftp://, or http://, the certificate or CRL is also cached by WinInet in the local file system. The cache is stored in the Documents and Settings\UserName\Local Settings\Temporary Internet Files folder.http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx(http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx)Back to the top | Give FeedbackMORE INFORMATION
Q12: Can IIS 5.0 perform "real time" CRL checking?
A12: No. IIS 5.0 uses the CRL in the cache until the CRL expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour. You can delete the CRL from the cache to force the retrieval of a new CRL. However, the new CRL still has the same validity period.Back to the top | Give FeedbackREFERENCES
For more information about Internet X.509 Public Key Infrastructure Certificate and CRL profile, visit the following Internet Engineering Task Force (IETF) Web site:
Request for Comments (RFC) 2459http://www.ietf.org/rfc/rfc2459.txt?number=2459(http://www.faqs.org/rfcs/rfc2459.html)Back to the top | Give FeedbackProperties
Article ID: 289749 - Last Review: November 21, 2006 - Revision: 8.1APPLIES TO
- Microsoft Internet Information Services 5.0
Keywords:
kbtshoot kbfaq kbinfo KB289749Retired KB Content DisclaimerThis article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
LDAP for the Java Net URL Framework
Part II: How to fetch CRLs from distribution points
By Dieter.Bratko@iaik.tugraz.atAugust 2006
Introduction
Unless the growing popularity of the Online Certificate Status Protocol (OCSP), certificate revocation lists (CRLs) are still most commonly used for providing revocation information about X.509 certificates. CRLs are publicly available from distribution points like HTTP or LDAP servers. A certificate usually contains a CRLDistributionPoints extension with a link to the location from where the corresponding crl can be obtained. You might think that is simple and straightforward to follow the link and download a crl from its distribution point. However, a CRLDistributionPoints extension may be structured in different ways making it already difficult to filter the information from where to get the revocation list.
This article shows how you can let IAIK JCE do all the basic work for you to easily download a certificate revocation list from its distribution point. We first give a brief description of the CRLDistributionPoints certificate extension. Then we provide an example showing how to use IAIK-JCE for downloading a crl based on the information contained in the CRLDistributionPoints extension.
The CRLDistributionPoints extension
This chapter provides a short description of the CRLDistributionPoints extension. It should give you a feeling of the several possibilities how revocation information maybe linked. You may skip this section; understanding of the CRLDistributionPoints extension structuring is not absolutely required for using IAIK-JCE to download a crl from its distribution point.
The X.509 PKI and CRL profile defines the CRLDistributionPoints extension as ASN.1 SEQUENCE of DistributionPoint objects (see RFC 3280), each of which pointing to a location from where a CRL can be obtained:
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL }DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
ReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7), aACompromise (8) }
The DistributionPointName field of each DistributionPoint may be a fullName of type GeneralNames or an RDN relative to the crl issuer distinguished name (DN). In the first case the fullName field may represent a URI that points to the location from which to get the CRL. In the second case – if nameRelativeToCRLIssuer is set – the specified RDN has to be appended to the DN of the crl issuer. The DN of the crl issuer may be given in the cRLIssuer field of the distribution point, or – if cRLIssuer is not present – may be the DN of the certificate issuer. The cRLIssuer field only must be present if the corresponding crl is an indirect crl where the issuer of the crl is not the same as the issuer of the certificate for which revocation information shall be obtained.The scope of each crl can be limited to some of the reasons given in the optional ReasonFlags component.
Downloading a CRL from a distribution point
Fortunately most commonly CRL distribution points refer to a (HTTP or LDAP) URL. Since LDAP by default is not supported by the java.net URL implementation – see Part 1 of this two-part article series – you first will have to register the IAIK-JCE LDAP protocol handler if you want to be able to get CRLs from LDAP distribution points:
System.getProperties().put("java.protocol.handler.pkgs", "iaik.x509.net");To get a CRLDistributionPoints extension from an X509Certificate object, call method getExtension with the OID of the CRLDistributionPoints extension:
X509Certificate cert = …; CRLDistributionPoints cRLDPs = (CRLDistributionPoints)cert.getExtension(CRLDistributionPoints.oid);Since more than only one DistributionPoint may be included, you must get an Enumeration of the DistributionPoint elements contained in the CRLDistributionPoints extension:
Enumeration e = cRLDistributionPoints.getDistributionPoints();Now step through the enumeration and call method loadCrl of each DistributionPoint object to download the crl from the location the dp points to:
while (e.hasMoreElements()) { DistributionPoint dp = (DistributionPoint)e.nextElement(); // download crl X509CRL crl = dp.loadCrl(); }If you want to be sure that a particular distribution point actually refers to a URI you may call method containsUriDpName before downloading a crl.
Summing up the following source code fragment will download all CRLs from the distribution points of a CRLDistributionPoints extension that refer to a URL:
// register IAIK-JCE LDAP protocol handler System.getProperties().put("java.protocol.handler.pkgs", "iaik.x509.net"); // get CRLDistributionPoints extension from a certificate X509Certificate cert = …; CRLDistributionPoints cRLDPs = (CRLDistributionPoints)cert.getExtension(CRLDistributionPoints.oid); // get and step trough all distribution points Enumeration e = cRLDistributionPoints.getDistributionPoints(); while (e.hasMoreElements()) { DistributionPoint dp = (DistributionPoint)e.nextElement(); If (dp. containsUriDpName()) { // download crl X509CRL crl = dp.loadCrl(); } }If you have to deal with a distribution point that does not refer to a (HTTP or LDAP) URL, but uses the nameRelativeToCRLIssuer choice described in chapter 2, you may have to know the LDAP server URL (and maybe crl/certificate issuer DN) in advance. In this case use method loadCrl(String ldapUrl, Name crlIssuer) to download the revocation list (see IAIK-JCE Javadoc for more information). However, usually this is not required since most CAs use the fullName URL option to point to the location from where to get the CRL.
Summay
This article shows how to use IAIK-JCE to download certificate revocation lists from their distribution points without detailed knowledge about distribution point structuring and LDAP URL handling.
References
- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile: http://www.ietf.org/rfc/rfc3280.txt
- The LDAP URL format: http://www.ietf.org/rfc/rfc2255.txt
- Java Naming And Directory Interface (JNDI): http://java.sun.com/products/jndi/
- IAIK-JCE Toolkit: http://jce.iaik.tugraz.at/products/core_crypto_toolkits/jca_jce
- How to fetch CRLs from distribution points
- How to Post Data and Fetch Remote Pages from PHP Scripts
- How to fetch data from SAP system using sap .net connector?
- (MS SQL)HOW TO USE FETCH
- How Do Story Points Relate to Hours?
- To fetch EDID from android device
- Specify CRL Distribution Points
- Key Points from "Introduce to Data Science"
- From an inner class, "this" points to the inner object. How do I get a "this" pointer to the enclosing object?
- How to solve performance issue while inquiring material transaction distribution?
- how to download from http
- some points to be think about how to create your
- How to fetch the SQL scipts with worst performance
- How to post a form using fetch in react native
- How to get the connection strength of Wifi access points?
- Study various way to generate mesh from points
- how to use Zypper to do a live distribution upgrade of openSUSE.
- How to make linux boot from network
- 末日来临,抓住最后时刻!
- 属于中端排位的一些小技巧,多看看没坏处哦。
- Windows各种提权漏洞对应的补丁号
- 关于程序编写的感想
- Android模拟器上网
- How to fetch CRLs from distribution points
- C++编写安全OCX,IE不弹出安全提示框
- BM字符串匹配算法
- Sudoku
- 看python官方说明学python-移位-bitewise
- 在Linux下编译Google leveldb数据库及在C++中操作示例
- AT&T 汇编控制执行流程及与高级语言的转换
- CRL Distribution Point
- 7 Linux 文件与目录管理