Most Recent Certificate Revocation List (CRL) may not be Installed when Multiple CRL exists (Doc ID 1314442.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle iPlanet Web Server - Version: 7.0 and later   [Release: 7.0 and later ]
Information in this document applies to any platform.

Symptoms

A Certificate Authority (CA) normally generates regular Certificate Revocation List (CRL) files  to be installed to the Web Server to revoke invalid certificates. A Certificate Revocation List makes known the certificate or keys the client or server should no longer trust. 

The symptom seen here is that the set of revoked certificates or keys may not be up to date. This is not normally apparent unless a revoked certificate is used to test the web server which is normally not possible.

Changes

A new CRL associated to a CA can be installed into the Web Server and the Web Server restarted.

When multiple CRL files by the same CA exist, some of them may be old copies, is possible that the newer CRL is not loaded or superceded by the older CRL copies.

The impact of this is that the most recent and up to date revoked certificates and keys may not be used.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms