CRL checks with gpgsm
timotheus
timotheus at tstotts.net
Fri Jul 27 02:45:30 CEST 2007
timotheus <timotheus at tstotts.net> writes:
> Hi. How do I automate CRL checking with gpgsm? I understand the
> following:
> CRLs are loaded / retrieved by dirmngr
> gpgsm invokes dirmngr, providing some information
> dirmngr could be standalone per user, or system daemon
>
> As user, dirmngr attempts to use the config file:
> ~/.gnupg/dirmngr_ldapservers.conf
>
> What should go into this file? According to other posts, perhaps:
> server:port:::o=organization,c=domain
>
> How do I determine what server(s) should be in this list?
>
> Any assistance would be appreciated. I have gpgsm working for Thawte
> email S/MIME, but requiring the option `disable-crl-checks'.
>
> -timotheus
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
OK. The signing x509 certificate has:
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Freemail CA/emailAddress=personal-freemail at thawte.com
Subject: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Personal Freemail Issuing CA
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
URI:http://crl.thawte.com/ThawtePersonalFreemailCA.crl
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
DirName:/CN=PrivateLabel2-138
This issue is that gpgsm does not appear to handle auto fetching of
multiple levels of CRLs; or that Thawte did not specifiy them correctly
within the x509 format.
The freemail certificate requires that
http://crl.thawte.com/ThawtePersonalFreemailCA.crl
be fetched and checked. But also,
http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl
must be fetched for the intermediate certificate.
The chain is:
MY CERTIFICATE HERE.
Serial number: 3A0D29
Issuer: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail at thawte.com
Subject: /CN=Thawte Personal Freemail Issuing CA/O=Thawte Consulting (Pty) Ltd./C=ZA
validity: 2003-07-17 00:00:00 through 2013-07-16 23:59:59
key type: 1024 bit RSA
key usage: certSign crlSign
chain length: 0
fingerprint: BC:F0:3A:B1:BD:9A:08:9B:EB:46:8D:AF:99:47:5E:83:18:39:99:0F
Certified by
Serial number: 3A
Issuer: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail at thawte.com
Subject: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail at thawte.com
validity: 1996-01-01 00:00:00 through 2020-12-31 23:59:59
key type: 1024 bit RSA
chain length: unlimited
fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
With any empty dirmngr cache, I have to manually:
# wget http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl
# gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailIssuingCA.crl
# rm -f ThawtePersonalFreemailIssuingCA.crl
And then gpgsm can auto fetch and verify with the other CRL.
Why doesn't gpgsm know to fetch both of these by recursively inspecting
the certificates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : /pipermail/attachments/20070726/a042c5f2/attachment-0001.pgp
More information about the Gnupg-users
mailing list