Subject:OU=DHS CA4, OU=Certification Authorities, OU=Department of Homeland Security, O=U.S. Government, C=US
Issuer:CN=Common Policy, OU=FBCA, O=U.S. Government, C=us
Subject:Eemail@example.com, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES
Issuer:Efirstname.lastname@example.org, CN=IPS SERVIDORES, OU=Certificaciones, O=IPS Seguridad CA, L=BARCELONA, S=BARCELONA, C=ES
Found all this using the PolicyViewer (https://community.mcafee.com/docs/DOC-2110) after loading a feedback into it, then searched for the "thumbprint" in the lists section.
I knew that feature in policyViewer would come in handy sometime
I have WebGateway 7.2.0 and I am getting warning message as:
2 of the recently updated CRLs for the certificate chain filter can not be loaded (Origin: Certificate chain filter)
At error.log it says:
[CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA 'IPS Seguridad CA - IPS SERVIDORES' with digest '24ba6d6c8a5b5837a48db5fae919ea675c94d217' ('error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag').
This certificate expire date is 07.12.2013 which means it is still valid.
Why I am getting this warninig message?
thank you for the information. Can you let me know where you obtained the certificate expiration date from? I have checked the certificate with the SHA1 digest mentioned in your line of logs. According to my information it expired in 2009.
I think I need some more clarification. The error message you posted in the earlier post indicates that MWG is not able to download the CRL list for the "IPS Seguridad CA" Root Certificate Authority. According to my details this has expired a while ago, therefore the CRL list is no longer available, which causes MWG to fail downloading the CRL list.
The screenshot above indicates something completely different. The certificate used by the host shown in the screenshot is signed by Comodo, which has nothing to do with the "IPS Seguridad CA" mentioned in the MWG log. These are two completely different certificate authorities.
Additionally the screenshot indicates that SSL Scanner on MWG is not in use, because the browser indicates the certificate has been signed by Comodo. With SSL Scanner in place the certificate would be signed by MWG.
From my understanding the error message indicated has nothing to do with the issue shown in the screenshot. You could remove the mentioned Root CA from MWG and the message in the log file will disappear. However the error message in the browser will most likely not go away. From what I understand the error message indicates that the browser is not able to check whether the certificate has been revoked and is configured to show a warning if this is the case.
Depending on how the browser is configured it is possible that you cannot download the CRL file or make an OCSP request. It could be blocked on a firewall or similar. Please check the browser settings and verify the CRL can be downloaded and/or the browser can make OCSP calls. If you need assistance with that I recommend to file an SR with support.
In my environment web requests from the Microsoft-CryptoAPI for CRL files cannot authenticate on my MWG. Therefore I need a special rule to allow those.
Maybe the situation of karubum is related to this?