capitainekurck Absent Member.
Absent Member.
1501 views

CRL decode error on certificate after renew CA

Hello All

My CA certificate will expire in January.
i use netware 6.5 and Edir 8.8
so i test on my lab the TID 7013047 to renew it. the new CA certificate have been created correctly. so after i create a new certificate for use with LDAPS. it seem to be created correctly but when i try to validate it i got an error message that it is invalid. error : CRL decode error.
searching on the forum and internet i see that other guys got the same issue. but i cant find any TID for fixing it. i test to connect with somme application who use ldaps authentication and it failed to log in there application . i m afraid there is a problem with the new ldaps certificate.

How can i fix it ? i m afraid to have the same issue on the prod when i will renew the real CA

Regards L.SL
Labels (2)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: CRL decode error on certificate after renew CA

Capitainekurck,
> it seem to be created correctly but when i try to validate
> it i got an error message that it is invalid. error : CRL decode
> error.


What do you see that? I generally distrust the validation in
C1/iManager. So this is the actual CA you are renewing?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
https://www.novell.com/products/enhancement-request.html

0 Likes
capitainekurck Absent Member.
Absent Member.

Re: CRL decode error on certificate after renew CA

yes the CA will expire in January so i need to renew it.
first i want to test how to do it correctly in my lab, before doing it in the prod. (one time every 10 years i don't do it often ) .
as i renew the CA i had to renew all others certificates. so on my lab i have destroyed the old CA and recreate it using the TID 7013047.
after that i recreate a new certificate for ldaps connexion as i got a lot of app who use ldaps authentication. but on this new certificate for TLS connexion i got this issue about the CRL
0 Likes
Knowledge Partner
Knowledge Partner

Re: CRL decode error on certificate after renew CA

First, do you plan on using the CRL, or do your clients actually check it?
Perhaps they do, but many folks just disable that part of the CA as they
do not intend to use it that way, particularly since these certificates
are not generally trusted by the world, and if they are ever compromised
then all of the things using them will be updated anyway.

As a result, creating a CA with no CRL is an option. Otherwise, find out
more about why there is a problem with the CRL, probably with the CRL
Distribution Points (CRLDP). These are URIs in LDAP and HTTP format, by
default, and if they cannot be reached, or if they still point to the old
CRL databases, then clients may complain. Most clients do not bother with
CRL checking, though, so often it's a moot point.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
capitainekurck Absent Member.
Absent Member.

Re: CRL decode error on certificate after renew CA

Well in fact i don't know if all applications that authent users trough LDAPS use clr. and it seem that the guys who maintain theses apps don't know it.
after renewing the CA i gave them the public key to install on the server to try to connect on my lab and see if they can be authenticate. and they can't. i take some ndstrace and i see that the client cut the connexion.
so i don't know if it is because they don't know how to deal with the new certificate or because the client cut the connexion because it can't read the crl.
i don't have a lot of doc and it's an old install and people who make it have leaved the office.

So i will prefer to renew the certificate as the old one.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.