EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate Generation and IIS client certificate revocation check

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 08/03/2006 17:13:25
by Andrei Johann (Basic support level)
Joined: 07/20/2006
Posts: 12

First, excuses for my English, i am not a native speaker ;-)) … here we go …

I have developed a Web Service and configure it (IIS 6.0) to require SSL and a Client Certificate to be accessed.

I've generated three certificates (a chain) with ELDOS SecureBlackBox, in order to reproduce the process of web authentication with certificates.

It was generated a root self-signed CA certificate (CN = AC RAIZ NOVO), an intermediate CA certificate (CN = AC INTERMEDIARIA NOVO) signed with the root certificate and an End Entity certificate (CN = ANDREI NOVO:77777777777777) signed with the intermediate certificate. (The generated certificates are attached to the .zip file)

I'm testing this functionality of SecureBlackBox using the evalution version for .NET Framework 1.1 and 2.0 released at 07/20/2006

I've installed the chain in the Local Computer STORE on the Web Server executing the Web Service, so I would be able to present my client certificate (CN = ANDREI NOVO:77777777777777) to establish the trust connection …

I've have also created the CRL files issued (signed) by the CAs (CN = AC RAIZ NOVO and CN = AC INTERMEDIARIA NOVO) certificates, using SBCRL.TelCertificateRevocationList object, and made them available at the address configured on the CRLDistributionPoints extensions of the certificates … The client End Entity certificate (CN = ANDREI NOVO:77777777777777, Serial Number = 33 33) was added to the CA (CN = AC INTERMEDIARIA NOVO) CRL file.

Because the client certificate (CN = ANDREI NOVO:77777777777777) is present in the certification revocation list issued by its issuer (CN = AC INTERMEDIARIA NOVO), and this crl is pointed at the CRLDistributionPoints certificate extension, it was expected to be refused when it tries to access the resource, but it does not happens. This behavior occurs only with the certificates I have generated with SecureBlackBox SBX509.TElX509Certificate object.

With others client certificates (REVOKED), the IIS Service blocks the access to the resource (Web Service) …

I have tried besides, do not publish any crl file at the address configured at the CRLDistributionPoints certificate extension, to see if the IIS Service blocks this certificate, but I did not have success.

Both situations, it was expected to receive the HTTP 403.13 - Forbidden: Client certificate revoked , but the access to the Web Service is granted.

Maybe, I am generating the Certificate or CRL in an incorrect format, I don't know ..

The IIS Web Server, where the accessed Web Service is hosted, is configured to check the CRL (Certification Revocation List) and it really does with other certificates (not generated with SecureBlackBox) …

If somebody could help me solve this problem I would be very thankful …

See attachments …

[ Download ]
Posted: 08/03/2006 22:43:42
by Ken Ivanov (EldoS Corp.)

Unfortunately, I got no any idea why this could happen. I checked your certificates and CRLs and they proved to be correct.

Actually, you can try to check if IIS performs CRL requests during client connection. If it does, then most likely it is confused by something stored in the CRL. If no, then IIS is unable to extract CRL URI from the certificate.

It would be excellent if you provide us another certificate chain (of course, without private keys) and CRLs that work in your conditions, so that we could compare the corresponding certificates and CRLs. You can use our helpdesk system (http://www.eldos.com/support/ticket_list.php) to post the files.

We will also try to reproduce the issue in our conditions after setting up IIS6.
Posted: 08/04/2006 09:41:03
by Andrei Johann (Basic support level)
Joined: 07/20/2006
Posts: 12

Hi Innokentiy Ivanov !

First, thanks for your help !

Here, we are trying to check if IIS service performs CRL request during client connection.
I'll send you a feedback soon ..

I've sent you, using your helpdesk system, another certificate chain generated by another partner company for testing purpose that IIS blocks when I use it to authenticate (CN = JOSE DA SILVA)


Posted: 08/09/2006 14:38:52
by Andrei Johann (Basic support level)
Joined: 07/20/2006
Posts: 12

Hi !

Updating our tests status ...

We check if IIS service performs CRL request during client connection and the tests results was:

- It does not performs CRL request for certificates generated with SBX509.TElX509Certificate object ...
- It performs CRL request for other certificates ...



Topic viewed 4584 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!