Micro Focus Expert
Micro Focus Expert

Re: Move Certifcate Authority to new Server or create a new CA

On 2019-05-21 13:20, Lothar Haeger wrote:
> Norbert Klasen wrote:
>
>> I've had one customer who had configured an LDAP crldp. They then turned on
>> enforce TLS on all connections in eDirectory. That caused eDirectory to
>> reject requests for the LDAP crldp URL which in turn caused the client (an
>> edir2edir driver) to abort its connection attempt.

>
> Just to mek sure I understand that correctly.
>
> a CRL had an LDAP (non-TLS) distribution point configured. Then Edir started
> requiring TLS for everything, and an IDM driver running in another tree checked
> the non-TLS CRL URL and the connection attempt got rejected (as expected).
>
> Was there no LDAPS distribution point configured or did the client (IDM
> Edir2Edir driver) not even attempt to utilize the other URLs (if present)?


Sorry, can't remember if the certificate had in fact other DPs than the
LDAP one.

DPs with TLS need extra care:

https://tools.ietf.org/html/rfc5280#section-8

When certificates include a cRLDistributionPoints extension with an
https URI or similar scheme, circular dependencies can be introduced.
The relying party is forced to perform an additional path validation
in order to obtain the CRL required to complete the initial path
validation! Circular conditions can also be created with an https
URI (or similar scheme) in the authorityInfoAccess or
subjectInfoAccess extensions. At worst, this situation can create
unresolvable dependencies.

CAs SHOULD NOT include URIs that specify https, ldaps, or similar
schemes in extensions. CAs that include an https URI in one of these
extensions MUST ensure that the server's certificate can be validated
without using the information that is pointed to by the URI. Relying
parties that choose to validate the server's certificate when
obtaining information pointed to by an https URI in the
cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess
extensions MUST be prepared for the possibility that this will result
in unbounded recursion.


--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

Norbert Klasen wrote:

> DPs with TLS need extra care:


Yeah, that sounds like fun! 🙂

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

ka12312 wrote:

> Any recommendations


Open a service request to get it straight from the horse's mouth.

Support will also be able to tell you, how to make sure any existing CRLs can
be migrated, if necessary. I suspect, deleting and re-creating the CRL is all
that's required.

Does your existing CRL actually lists revoked certs, btw? Check in iManager
(Cert Server > Configure CA > CRL > Details): it is usually empty. If it is in
your setup as well, nothing to worry about in the first place.

And if you really distribute a list of revoked certs, you could export them
from iManager and reimport them again into a fresh CRL after the Update (in
case the CRL gets destroyed somehow and you have to delete/recreate). Do not
forget to take note of the distribution points as well, those should not
change, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
kab12312 Respected Contributor.
Respected Contributor.

Re: Move Certifcate Authority to new Server or create a new

Details are empty so I guess I am good. Thank you!!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.