I am seeing the following in the mgw-core.errors log:[2012-08-14 19:18:49.618 -07:00] [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA 'GlobalSign - GlobalSign' with digest '31c069f477c7dce325b828886efda03f4008bf85' ('error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01').
and I'm getting the following emailed to me:
Update Event triggered :1 of the recently updated CRLs for the certificate chain filter can not be loaded; origin:Certificate chain filter; severity:4
What do I need to do to correct these errors? Any help is appreciated!
i have the same problem on all my installations.
Yesterday i created a support ticket about this error.
Let's see what i'm getting back.
do you see this always or does it happen from time to time? It looks like MWG was not able to download a CRL for one of the Root CAs which are used to verify server certificates. MWG contacts each of the known Root CAs and downloads the CRL from there, because there are a lot of CRLs that are updated it may happen from time to time that one of their servers is not available, which causes such a message.
If this only happens from time to time there is no need to worry. If it happens all the time it would be interesting to investigate. Please ensure that the CA is always the same (in the example above it is "GlobalSign - GlobalSign". If the name or digest is different you are most likely seeing a different problem. You could look up the CA in the configuration of your MWG and validate the CRL URL is set so "http://crl.globalsign.net/root-r2.crl". If you simply want to remove the warnings you could remove the URL completely. This will prevent MWG from downloading the CRL updates, which is most likely not what you want to do.
yes this CA is expired. You can check the online rule set library for an updated list of Root CAs and a way to have the list automatically maintained.
How were you able to determine which crl it was? Did you check each one manually?
I wish McAfee had a log for just about every feature the box operates...
MWG 6 had a REALLY, REALLY, SUPER NICE SSL Manager and SSL Incident Manager interface which they REALLY, REALLY need to bring back REALLY, REALLY fast in MWG 7. Please