Re: Certificate problem
- From: "Vanguard" <Vangu@xxxxxxxxxx>
- Date: Mon, 13 Jun 2005 04:21:52 -0500
"Merike" <Merike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:130A4E7F-CE48-4994-984A-A18A146FAD37@xxxxxxxxxxxxxxxx
The site I have problem with is www.ekool.ee. My browser is IE 6 with SP2 and OS XP Professional.
My clock shows the right date and time and the expiration date of
certificate shouldn't matter since it expires in November 2005. The only
error it shows is mentioned above, it even says the certificate is valid.
Adding site to trusted sites list didn't help. I viewed the sertificate and
it shows that it is issued by KLASS3-SK. Is there list for trusted
certificate issuers so I can add that one?
Going to www.ekool.ee results in this site forcing a secure connection (i.e., it wants to use SSL for an HTTPS connect). I get "revocation for this certificate is not available". That means IE couldn't contact the CA (certificate authority) listed in the certificate to verify that it has not been revoked. Yes, the content of the certificate is okay because it has not been altered. Even an expired or revoked certificate can be "okay" regarding its content if it has not been modified.
When you visit https://mail.yahoo.com and double-click on the padlock icon in the status bar, the cert details under the CRL Distribution Points shows a contact URL where to check for revocation ("URL=http://crl.verisign.com/RSASecureServer.crl"; for Yahoo Mail, which uses Verisign). For your www.ekool.ee site, its CRL is listed as "URL=http://www.sk.ee/crls/klass3/klass3.crl";, which isn't reachable, down, or the path is invalid to the .crl revocation file). Yet I was able to download that .crl file so I don't know why IE couldn't check it for revocation of the cert used at the www.ekool.ee site. I did see that the cert's serial number for that site and those listed in their ..crl revocation list were pretty short at just 4 bytes long (32 bits). The serial number for Yahoo Mail's cert is 16 bytes long (128 bits), as is the cert's serial number for my bank's secured web page, as is PayPal's, eBay's, and several other HTTPS sites that I checked. ekool.ee's serial number is the shortest that I remember seeing, so maybe they aren't valid. Although I glanced at several sites discussing how PKI works, they didn't mention how serial numbers are managed. Could be that is CA dependent (i.e., their choice). However, it looks like ekool.ee is getting their cert from sk.ee and 4 bytes gives them 3,000 times the number of serial numbers as for their population. I did find:
"The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer.
Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. "
But that doesn't specify any minimum length for the serial number. Also note that they are forcing an HTTPS connection and something you have configured in IE prompts that you are trying to make that secured connection but haven't included that site as trusted.
.
- References:
- Certificate problem
- From: Merike
- RE: Certificate problem
- From: Merike
- Certificate problem
- Prev by Date: Re: Animated Gif's do not work
- Next by Date: Re: Web page not loading?
- Previous by thread: Re: Re: Certificate problem
- Next by thread: IE6 & SP2 - dialup + lan multiple connections
- Index(es):
Relevant Pages
|
