cancel
Showing results for 
Search instead for 
Did you mean: 
mje28
Level 7
Report Inappropriate Content
Message 1 of 17

Cannot load CRL for CA ...

Jump to solution

I am having issues with the following 2 CAs and I just can't figure out what the issue is. 

'0e40e6005f5a5eb4a5341f54c6addc35ec158408'

and

'24ba6d6c8a5b5837a48db5fae919ea675c94d217'

I am assuming they are expired, I just don't know which CA they are tied to.  Any help?

1 Solution

Accepted Solutions
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 17

Re: Cannot load CRL for CA ...

Jump to solution

0e40e6005f5a5eb4a5341f54c6addc35ec158408:

SubjectSmiley SurprisedU=DHS CA4, OU=Certification Authorities, OU=Department of Homeland Security, O=U.S. Government, C=US

Issuer:CN=Common Policy, OU=FBCA, O=U.S. Government, C=us

-http://pki.dimc.dhs.gov/DHS_CA.crl

24ba6d6c8a5b5837a48db5fae919ea675c94d217:

Subject:E=ips@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES

Issuer:E=ips@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES

-http://www.ipsca.com/crl/ipsservidorescrl.crl

Found all this using the PolicyViewer (https://community.mcafee.com/docs/DOC-2110) after loading a feedback into it, then searched for the "thumbprint" in the lists section.

~Jon

16 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 17

Re: Cannot load CRL for CA ...

Jump to solution

0e40e6005f5a5eb4a5341f54c6addc35ec158408:

SubjectSmiley SurprisedU=DHS CA4, OU=Certification Authorities, OU=Department of Homeland Security, O=U.S. Government, C=US

Issuer:CN=Common Policy, OU=FBCA, O=U.S. Government, C=us

-http://pki.dimc.dhs.gov/DHS_CA.crl

24ba6d6c8a5b5837a48db5fae919ea675c94d217:

Subject:E=ips@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES

Issuer:E=ips@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES

-http://www.ipsca.com/crl/ipsservidorescrl.crl

Found all this using the PolicyViewer (https://community.mcafee.com/docs/DOC-2110) after loading a feedback into it, then searched for the "thumbprint" in the lists section.

~Jon

eelsasser
Level 15
Report Inappropriate Content
Message 3 of 17

Re: Cannot load CRL for CA ...

Jump to solution

I knew that feature in policyViewer would come in handy sometime

mje28
Level 7
Report Inappropriate Content
Message 4 of 17

Re: Cannot load CRL for CA ...

Jump to solution

Thanks Jon!

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 17

Re: Cannot load CRL for CA ...

Jump to solution

For reference here is a screenshot of how I found the problem using the PolicyViewer (THANK YOU ERIK!).

Opening the feedback:

open_2012-04-11_111545.png

Finding the thumbprint:

findthumbprint_2012-04-11_110408.png

karubum
Level 7
Report Inappropriate Content
Message 6 of 17

Re: Cannot load CRL for CA ...

Jump to solution

Hi!

I have WebGateway 7.2.0 and I am getting warning message as:

2 of the recently updated CRLs for the certificate chain filter can not be loaded (Origin: Certificate chain filter)

At error.log it says:

[CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA 'IPS Seguridad CA - IPS SERVIDORES' with digest '24ba6d6c8a5b5837a48db5fae919ea675c94d217' ('error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag').

This certificate expire date is 07.12.2013 which means it is still valid.

Why I am getting this warninig message?

Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 7 of 17

Re: Cannot load CRL for CA ...

Jump to solution

Hello,

thank you for the information. Can you let me know where you obtained the certificate expiration date from? I have checked the certificate with the SHA1 digest mentioned in your line of logs. According to my information it expired in 2009.

Best,

Andre

karubum
Level 7
Report Inappropriate Content
Message 8 of 17

Re: Cannot load CRL for CA ...

Jump to solution

I am getting this information at my client computer. Everymorning when he turns on his PC he gets Security Warning Message which says "The revoked info cannot be taken for this sites certificate. Do you want to continue"

certificate_2.PNG

Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 9 of 17

Re: Cannot load CRL for CA ...

Jump to solution

Hello,

I think I need some more clarification. The error message you posted in the earlier post indicates that MWG is not able to download the CRL list for the "IPS Seguridad CA" Root Certificate Authority. According to my details this has expired a while ago, therefore the CRL list is no longer available, which causes MWG to fail downloading the CRL list.

The screenshot above indicates something completely different. The certificate used by the host shown in the screenshot is signed by Comodo, which has nothing to do with the "IPS Seguridad CA" mentioned in the MWG log. These are two completely different certificate authorities.

Additionally the screenshot indicates that SSL Scanner on MWG is not in use, because the browser indicates the certificate has been signed by Comodo. With SSL Scanner in place the certificate would be signed by MWG.

From my understanding the error message indicated has nothing to do with the issue shown in the screenshot. You could remove the mentioned Root CA from MWG and the message in the log file will disappear. However the error message in the browser will most likely not go away. From what I understand the error message indicates that the browser is not able to check whether the certificate has been revoked and is configured to show a warning if this is the case.

Depending on how the browser is configured it is possible that you cannot download the CRL file or make an OCSP request. It could be blocked on a firewall or similar. Please check the browser settings and verify the CRL can be downloaded and/or the browser can make OCSP calls. If you need assistance with that I recommend to file an SR with support.

Best,

Andre

Re: Cannot load CRL for CA ...

Jump to solution

In my environment web requests from the Microsoft-CryptoAPI for CRL files cannot authenticate on my MWG. Therefore I need a special rule to allow those.

Maybe the situation of karubum is related to this?