CRL decode error on certificate after renew CA

Hello All

My CA certificate will expire in January.
i use netware 6.5 and Edir 8.8
so i test on my lab the TID 7013047 to renew it. the new CA certificate have been created correctly. so after i create a new certificate for use with LDAPS. it seem to be created correctly but when i try to validate it i got an error message that it is invalid. error : CRL decode error.
searching on the forum and internet i see that other guys got the same issue. but i cant find any TID for fixing it. i test to connect with somme application who use ldaps authentication and it failed to log in there application . i m afraid there is a problem with the new ldaps certificate.

How can i fix it ? i m afraid to have the same issue on the prod when i will renew the real CA

Regards L.SL
  • Capitainekurck,
    > it seem to be created correctly but when i try to validate
    > it i got an error message that it is invalid. error : CRL decode
    > error.


    What do you see that? I generally distrust the validation in
    C1/iManager. So this is the actual CA you are renewing?

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html

  • yes the CA will expire in January so i need to renew it.
    first i want to test how to do it correctly in my lab, before doing it in the prod. (one time every 10 years i don't do it often ) .
    as i renew the CA i had to renew all others certificates. so on my lab i have destroyed the old CA and recreate it using the TID 7013047.
    after that i recreate a new certificate for ldaps connexion as i got a lot of app who use ldaps authentication. but on this new certificate for TLS connexion i got this issue about the CRL
  • First, do you plan on using the CRL, or do your clients actually check it?
    Perhaps they do, but many folks just disable that part of the CA as they
    do not intend to use it that way, particularly since these certificates
    are not generally trusted by the world, and if they are ever compromised
    then all of the things using them will be updated anyway.

    As a result, creating a CA with no CRL is an option. Otherwise, find out
    more about why there is a problem with the CRL, probably with the CRL
    Distribution Points (CRLDP). These are URIs in LDAP and HTTP format, by
    default, and if they cannot be reached, or if they still point to the old
    CRL databases, then clients may complain. Most clients do not bother with
    CRL checking, though, so often it's a moot point.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • Well in fact i don't know if all applications that authent users trough LDAPS use clr. and it seem that the guys who maintain theses apps don't know it.
    after renewing the CA i gave them the public key to install on the server to try to connect on my lab and see if they can be authenticate. and they can't. i take some ndstrace and i see that the client cut the connexion.
    so i don't know if it is because they don't know how to deal with the new certificate or because the client cut the connexion because it can't read the crl.
    i don't have a lot of doc and it's an old install and people who make it have leaved the office.

    So i will prefer to renew the certificate as the old one.