Super Contributor.
Super Contributor.
1937 views

Invalid: CRL Decode Error on two new OES 2015 servers

Hi,

As OES11SP1 is not suported anymore we moved to OES2015.

In december we installed a new oes 2015 in our tree.
We moved the CA from OES11SP1 server to the OES2015 server.
Following method one :
https://www.novell.com/support/kb/doc.php?id=3618399

Then we installed another OES2015 server without any trouble.

Today I wanted to export our new CA cert to import on our Macs.
And I tought let's validate the certificate first.
NETIQ Certificate Access - Server Certificates -
It gave the error : Invalid: CRL Decode Error (on all 4 DNS IP SSLDNS SSL)
See attachment to this SR.

On the second installed OES2015 server we have the same issue on all 4 certificates:
Invalid: CRL Decode Error (on all 4 DNS IP SSLDNS SSL)

How can we fix this?

Kr,

Joeri
Labels (2)
Tags (3)
0 Likes
3 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Invalid: CRL Decode Error on two new OES 2015 servers

On every certificate you should be able to see an attribute that is
something like 'CRL Distribution Points (CRLDP). In this attribute will
be one or more values that point, via some URI, to the location where the
CRL is maintained. Is that URI valid and is there a CRL there? I'm
guessing not, and that's the problem. You'll need to create one there
(iManager has a task to let you export the CRL I believe).

Many/Most SSL/TLS clients do not actually try to access CRL DPs because
CRLs are kind of flawed in design when it comes to scale. As a result,
despite this validation error, your (Mac) clients may still be fine
working, so perhaps try that out and see, at least so you can prioritize
this troubleshooting and fixing accordingly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Invalid: CRL Decode Error on two new OES 2015 servers

jfeyen;2419313 wrote:
Hi,

As OES11SP1 is not suported anymore we moved to OES2015.

In december we installed a new oes 2015 in our tree.
We moved the CA from OES11SP1 server to the OES2015 server.
Following method one :
https://www.novell.com/support/kb/doc.php?id=3618399

Then we installed another OES2015 server without any trouble.

Today I wanted to export our new CA cert to import on our Macs.
And I tought let's validate the certificate first.
NETIQ Certificate Access - Server Certificates -
It gave the error : Invalid: CRL Decode Error (on all 4 DNS IP SSLDNS SSL)
See attachment to this SR.

On the second installed OES2015 server we have the same issue on all 4 certificates:
Invalid: CRL Decode Error (on all 4 DNS IP SSLDNS SSL)

How can we fix this?

Kr,

Joeri


if these certs have been created before the CA was moved they'll likely contain CRL URLs pointing to the old server.
i'd manually create a certificate on every server and check these for validity, just to make sure your CURRENT CRLoffset is ok. if it is, you might want to recreate the default certs (in order to point to the correct distribution points).
currently there are not too many instances which really check CRLs, so getting CRL decode errors doesn't necessarily mean that something won't work.
apart from that: it seems that you're talking about installing your trusted root cert (as opposed to server certs). did you create a new CA or did you just move it?
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Invalid: CRL Decode Error on two new OES 2015 servers

ab;2419328 wrote:
On every certificate you should be able to see an attribute that is
something like 'CRL Distribution Points (CRLDP). In this attribute will
be one or more values that point, via some URI, to the location where the
CRL is maintained. Is that URI valid and is there a CRL there? I'm
guessing not, and that's the problem. You'll need to create one there
(iManager has a task to let you export the CRL I believe).

Many/Most SSL/TLS clients do not actually try to access CRL DPs because
CRLs are kind of flawed in design when it comes to scale. As a result,
despite this validation error, your (Mac) clients may still be fine
working, so perhaps try that out and see, at least so you can prioritize
this troubleshooting and fixing accordingly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...


Hi ,

Just to let you know , i created an SR with Novell.

They took over my system and saw that my CA CRL had no issuer date.
Then they went to the CRL Distribution Points (CRLDP) on the CA , they deleted the CRL Distribution point. Then created a new CRL .

Then they repaired the server certificates on all my servers which have a certificate from that CA.
Now all the certificates are valid.

If you have this issue I would recommend others to create an SR.

Kr,

Joeri
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.