Problems with cert validation via CRL

David Gray deg at davidegray.com
Mon Feb 20 14:51:06 CET 2017


Hello - new user here; this may be an obvious question but I haven't been
able to find the answer.  Ultimately, this may just highlight some of the
problems inherent in a hierarchical trust model.

 

I've got a free x.509 email certificate generated by Comodo.  

 

I've got Ubuntu 16.04 LTS running a clean install, with gpg and gpgsm 2.1.11
installed.  I imported my certificate into my keychain using gpgsm a day or
two ago, and everything is working as expected - the certificate is
successfully validated, and I'm able to encrypt files using the public key
of this certificate, and decrypt them using the private key.  

 

I've also got a Windows 10 machine - this computer had GPG4Win installed for
some time, but I've since uninstalled that, and removed all configuration
directories/files I could find.  I've installed GnuPG binary version 2.1.11,
and I've been able to successfully import my certificate into my keychain
this morning, and everything seems to work as expected - but the certificate
is not successfully validated under Windows.  As a result, I'm not able to
encrypt anything using the public key of this certificate.

 

I'm trying to figure out what is going on - it appears that there is problem
validating the CRL available at the DP listed in my certificate regardless
of whether I run the fetch-url from Ubuntu or Windows - both output files
are attached.  Does this suggest a problem with the CRL that the CA has
published, or do I have something I need to adjust in my configs somewhere?

 

At the same time, I'm curious as to why the Ubuntu installation is
validating the certificate as 'good' while the Windows installation is not -
is this just because the Ubuntu installation was able to successfully
validate the certificate in the past (presumably when a previous and
non-problematic CRL was published)?  If the CA publishes an updated CRL that
doesn't have issues, will my Windows installation be able to validate the
certificate at that point?

 

I've replaced all the email addresses in the attached files with
'user at domain.com'.

 

I appreciate any assistance you might be able to provide.  Thank you,

 

Dave

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170220/39c2c2bb/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ubuntu-dimngr-fetchcrl-debugall.txt
URL: </pipermail/attachments/20170220/39c2c2bb/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ubuntu-listkeys-with-validation-debugall.txt
URL: </pipermail/attachments/20170220/39c2c2bb/attachment-0005.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: windows-dirmngr-fetchcrl-debugall.txt
URL: </pipermail/attachments/20170220/39c2c2bb/attachment-0006.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: windows-listkeys-withvalidation-debugall.txt
URL: </pipermail/attachments/20170220/39c2c2bb/attachment-0007.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4803 bytes
Desc: not available
URL: </pipermail/attachments/20170220/39c2c2bb/attachment-0001.bin>


More information about the Gnupg-users mailing list