EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Passing the CRL to TElX509CertificateValidator

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
Posted: 12/05/2012 02:59:24
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

Hello. I am trying to validate a certificate with your sample PKIBlackbox\CertValidator. When I mark this four checks:

-Check CRL
-Check validity period for trusted
-Complete chain validation for trusted
-Mandatory CRL check

at the same time, the log tells me that the certificate is invalid, because the CRL was not verified. I guess that the CRL is missing and I wonder how should I pass it to the TElX509CertificateValidator, so I can get valid response for my certificate when I check CRL. That is the point: How should I pass the CRL?

Thank you very much!
Posted: 12/05/2012 03:58:40
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Could you post validator's log here.

Also please refer to this article for details: http://www.eldos.com/security/articles/7545.php
Posted: 12/05/2012 04:15:41
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

This is the log with the following options checked:
Check CRL
Check OCSP
Check validity period for trusted
Complete chain validation for trusted
Ignore CA key usage
Mandatory CRL check
Mandatory OCSP check
Mandatory revocation check
Use system storages

05/12/2012 11:12:52 BeforeCertificateValidation:
05/12/2012 11:12:52 BeforeCRLRetrieverUse:
05/12/2012 11:12:52 AfterCertificateValidation:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY, root CN=, validity=invalid, reason=CRL not verified

05/12/2012 11:12:52 RESULT:
CN=NOMNOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, validity=invalid, reason=CRL not verified
Posted: 12/05/2012 04:21:55
by Vsevolod Ievgiienko (Team)

You should try to set "Mandatory CRL check" to false. You certificate contains LDAP distribution point (location=,, Clase 2 CA, that is local and thats why our component fails to download it. When "Mandatory CRL check" is off the components will try all CRL distribution points included into the certificate and its possible that one of them will be a correct one.

If this doesn't help then you can pass a CRL manually using TElX509CertificateValidator.AddKnownCRLs method.



Topic viewed 1401 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!