1 2 Previous Next 16 Replies Latest reply on Jul 27, 2015 10:52 AM by pcoates

    Cannot load CRL for CA ...

      I am having issues with the following 2 CAs and I just can't figure out what the issue is. 

       

      '0e40e6005f5a5eb4a5341f54c6addc35ec158408'

      and

      '24ba6d6c8a5b5837a48db5fae919ea675c94d217'

       

      I am assuming they are expired, I just don't know which CA they are tied to.  Any help?

        • 1. Re: Cannot load CRL for CA ...
          Jon Scholten

          0e40e6005f5a5eb4a5341f54c6addc35ec158408:

          Subject:OU=DHS CA4, OU=Certification Authorities, OU=Department of Homeland Security, O=U.S. Government, C=US

          Issuer:CN=Common Policy, OU=FBCA, O=U.S. Government, C=us

          -http://pki.dimc.dhs.gov/DHS_CA.crl

           

          24ba6d6c8a5b5837a48db5fae919ea675c94d217:

          Subject:E=ips@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES

          Issuer:E=ips@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES

          -http://www.ipsca.com/crl/ipsservidorescrl.crl

           

          Found all this using the PolicyViewer (https://community.mcafee.com/docs/DOC-2110) after loading a feedback into it, then searched for the "thumbprint" in the lists section.

           

          ~Jon

          • 2. Re: Cannot load CRL for CA ...

            I knew that feature in policyViewer would come in handy sometime

            • 3. Re: Cannot load CRL for CA ...

              Thanks Jon!

              • 4. Re: Cannot load CRL for CA ...
                Jon Scholten

                For reference here is a screenshot of how I found the problem using the PolicyViewer (THANK YOU ERIK!).

                 

                Opening the feedback:

                open_2012-04-11_111545.png

                 

                Finding the thumbprint:

                findthumbprint_2012-04-11_110408.png

                • 5. Re: Cannot load CRL for CA ...
                  karubum

                  Hi!

                   

                  I have WebGateway 7.2.0 and I am getting warning message as:

                   

                  2 of the recently updated CRLs for the certificate chain filter can not be loaded (Origin: Certificate chain filter)

                   

                  At error.log it says:

                   

                  [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA 'IPS Seguridad CA - IPS SERVIDORES' with digest '24ba6d6c8a5b5837a48db5fae919ea675c94d217' ('error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag').

                   

                  This certificate expire date is 07.12.2013 which means it is still valid.

                   

                  Why I am getting this warninig message?

                  • 6. Re: Cannot load CRL for CA ...
                    asabban

                    Hello,

                     

                    thank you for the information. Can you let me know where you obtained the certificate expiration date from? I have checked the certificate with the SHA1 digest mentioned in your line of logs. According to my information it expired in 2009.

                     

                    Best,

                    Andre

                    • 7. Re: Cannot load CRL for CA ...
                      karubum

                      I am getting this information at my client computer. Everymorning when he turns on his PC he gets Security Warning Message which says "The revoked info cannot be taken for this sites certificate. Do you want to continue"

                       

                      certificate_2.PNG

                      • 8. Re: Cannot load CRL for CA ...
                        asabban

                        Hello,

                         

                        I think I need some more clarification. The error message you posted in the earlier post indicates that MWG is not able to download the CRL list for the "IPS Seguridad CA" Root Certificate Authority. According to my details this has expired a while ago, therefore the CRL list is no longer available, which causes MWG to fail downloading the CRL list.

                         

                        The screenshot above indicates something completely different. The certificate used by the host shown in the screenshot is signed by Comodo, which has nothing to do with the "IPS Seguridad CA" mentioned in the MWG log. These are two completely different certificate authorities.

                         

                        Additionally the screenshot indicates that SSL Scanner on MWG is not in use, because the browser indicates the certificate has been signed by Comodo. With SSL Scanner in place the certificate would be signed by MWG.

                         

                        From my understanding the error message indicated has nothing to do with the issue shown in the screenshot. You could remove the mentioned Root CA from MWG and the message in the log file will disappear. However the error message in the browser will most likely not go away. From what I understand the error message indicates that the browser is not able to check whether the certificate has been revoked and is configured to show a warning if this is the case.

                         

                        Depending on how the browser is configured it is possible that you cannot download the CRL file or make an OCSP request. It could be blocked on a firewall or similar. Please check the browser settings and verify the CRL can be downloaded and/or the browser can make OCSP calls. If you need assistance with that I recommend to file an SR with support.

                         

                        Best,

                        Andre

                        • 9. Re: Cannot load CRL for CA ...
                          otruniger

                          In my environment web requests from the Microsoft-CryptoAPI for CRL files cannot authenticate on my MWG. Therefore I need a special rule to allow those.

                           

                          Maybe the situation of karubum is related to this?

                          1 2 Previous Next