Problems with cert validation via CRL
David Gray
deg at davidegray.com
Tue Feb 21 13:20:29 CET 2017
Thank you for your response! I do have the trustlist.txt file on both computers - it was automatically populated with the root cert by pin entry when I imported my certificate on both machines, and it includes the "relax" keyword on both computers. There are 3 cents total in my hierarchy - root, intermediate, and mine. I've added the fingerprint of the intermediate and even my own cert to trustlist.txt to see if that would make a difference, but it didn't change anything.
The --disable-crl-checks option allows me to use the cert for encryption, so I'm pretty sure the problem lies with the crl option...there are two files (in addition to DIR.TXT) that have been populated in crl.d, and if I do a dirmngr--flush they get cleared out and are added back fine the next time I try to validate. The root cert does NOT include a CRL DP, so I've tried turning on the option not to require a crl on trusted carts, but that didn't make a difference.
I'm no expert, but when I look at the debug info (attached to original email), it appears that gpgsm is able to get the crl that my cert points to but it may be having trouble parsing it. The file itself is large, but I don't think that's uncommon, so perhaps there is a problem with the file itself. It's been updated since I started investigating, and the problem persists, so it wasn't a transient problem.
Is there a way to have gpgsm (or dirmngr?) validate that it is able to parse and interpret the CRL (or the associated .db file in crl.d) to see if that is the issue?
I appreciate your help very much. Thanks,
Dave
Sent from my Mobile Device
> On Feb 20, 2017, at 9:32 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
>
> Hello,
>
> David Gray <deg at davidegray.com> wrote:
>> At the same time, I'm curious as to why the Ubuntu installation is
>> validating the certificate as 'good' while the Windows installation is not -
>> is this just because the Ubuntu installation was able to successfully
>> validate the certificate in the past (presumably when a previous and
>> non-problematic CRL was published)? If the CA publishes an updated CRL that
>> doesn't have issues, will my Windows installation be able to validate the
>> certificate at that point?
>
> Please note that my knowledge of gpgsm and X.509 is pretty much limited.
>
> Do you have .gnupg/trustlist.txt on Ubuntu machine? It can be created
> when you answer dialog of gpgsm by pinentry interaction.
> --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2368 bytes
Desc: not available
URL: </pipermail/attachments/20170221/633766cc/attachment.bin>
More information about the Gnupg-users
mailing list