Anonymous_User Absent Member.
Absent Member.
825 views

validate Certificate in iManager:'Invalid: CRL Decode Error'


eDirectory v.20803.05
iManager 2.7.7 workstation install (no Tomcat on a server)

--------------------------------
Situation:
--------------------------------
Since i neither want anybody having access to my CA through LDAP nor
HTTP i chose to remove all CDP's from my CRL (eDirectory 8.8.8 creates
certificates with this extension by default it seems, 8.8.6 did not do
that).
To make certificate checking possible i made a Script to copy the CRL to
a Web-Server (HTTP) and changed the CRL-Config accordingly (so that in
the CDP extension two http://mywebressource.mydomain/cert/edirectory.crl
are written to newly created certificates).

BUT:
Creating a new certificate or repair default certificates (with 'Force
the generation of new default certificates' to 'YES'). Then navigate to
NetIQ Certificate Access | Server Certificate | Choose Server and
'Validate' certs results in: Invalid: CRL Decode Error.

The URL is accessible and the CRL can be fetched there. From a network
trace i can't see any HTTP-traffic for checking. Only when adding a
local LDAP-URL to the CDP (in the CRL, and then recreate the
certificates) AND change the LDAP-configuration to not impose any
restrictions on binds (AND let change my firewall to let anybody through
to that Server on 389 for 'real' certificate validation in the 'real'
world) the validation in iManager works.

Found https://www.novell.com/support/kb/doc.php?id=3205138 but i can see
no HTTP at all in the LAN-Trace.


Thanks in advance, florian


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=52577

Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: validate Certificate in iManager:'Invalid: CRL Decode Error'

On 1/13/2015 7:44 AM, florianz wrote:
> The URL is accessible and the CRL can be fetched there. From a network
> trace i can't see any HTTP-traffic for checking.


Are you looking at this from the iMangler server itself or from your workstation?

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: validate Certificate in iManager:'Invalid: CRL Decode Error'


THANKS:

first impulse was: hm? i traced from the server i was connected to
(iManager). i know that checking for a LDAP-CDP is done from that
server.
at second thought i started a trace on my workstation.

>> HTTP-CDP-checking is done locally, while LDAP is done on the server!


anyhow: when validating a certificate the problem was: HTTP Error 400.
The request hostname is invalid.
looking at the URL used for checking i saw: http://crl.mydomain.local
80/Certs/metadir.crl (what´s a space supposed to do in there?)

testing with a browser using the <host>:<port> notation the http-request
(in case of port 80) strips that out entirely.
But in iManager > Configure Certificate Server you can't set a HTTP-CDP
without a portnumber. So i needed to modify the attribute
ndspkiDistributionPoints via LDAP to get rid of the :80 in the URL.
Newly created certificates can get validated (again) in iManager
afterwards.

In short:
If CDP-checking should work in iManager using HTTP-CDPs one needs to
remove ':<port>' from the attribute ndspkiDistributionPoints.


florian


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=52577

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: validate Certificate in iManager:'Invalid: CRL Decode Error'


after a few tests with netiq support it looks as if this problem was not
reproducable for them and thus seems to be caused by something locally
in our infrastructure(s) (tested a few things, proxy-server and the
such, ...).
tested as well different versions of pki.npm. for netiq-support no
problem was reproducable in validating cdp's with :<port> in it. for me
it was.


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=52577

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.