2 Replies Latest reply on Jul 30, 2015 1:52 AM by michael-s-w

    CRLs for the certificate chain filter can not be loaded

    bornheim

      Hi,

       

      I got two CannotLoadCRL errors since several days:

       

      [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA '22d5d8df8f0231d18df79db7cf8a2d64c93f6c3a' with digest '22d5d8df8f0231d18df79db7cf8a2d64c93f6c3a' ('').

      [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA 'cac55f77bc17b247b0b9f591f58e6ae97bfb9e1b' with digest 'cac55f77bc17b247b0b9f591f58e6ae97bfb9e1b' ('').

       

      While I could go, search and delete these - probably expired - CAs, I wonder where they come from. I only use the McAfee maintained list of CAs and would expect to be pampered a little. :-) Shouldn't McAfee delete these?

       

      Kind regards,

      Robert

        • 1. Re: CRLs for the certificate chain filter can not be loaded
          pcoates

          You an see this thread as well:

           

          Re: Cannot load CRL for CA ...

           

          Info:

           

          'm listing the certificates below. Both certs do have valid and accessible CRL entries within the certificate, however it looks like they haven't been listed in the maintained list. The OCSP responder URI's are present, but it may be that there is an error in formatting from that maintained list. McAfee will need to update the maintained list to reflect the proper CRL URI

           

           

           

          315

          Subject:CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

          Issuer:CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

          Not Before:04/11/2007 7:00:00 PM

          Not After:18/01/2038 6:59:59 PM

          Version:3

          Algorithm:sha384ECDSA

          Serial:2F80FE238C0E220F486712289187ACB3

          Thumbprint:22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A

           

           

          MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjEL

          {snip}

          9SDkjOVga

          FRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA==

            [✔] true

           

           

          EDIT:  CRL:

           

          http://crl.verisign.com/pca3-g4.crl

           

           

           

          263

          Subject:CN=Symantec Class 3 ECC 256 bit Extended Validation CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

          Issuer:CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

          Not Before:19/12/2012 7:00:00 PM

          Not After:19/12/2022 6:59:59 PM

          Version:3

          Algorithm:sha384ECDSA

          Serial:4D955D20AF85C49F6925FBAB7C665F89

          Thumbprint:CAC55F77BC17B247B0B9F591F58E6AE97BFB9E1B

          CRL URI:http://crl.ws.symantec.com/pca3-g4.crl

           

           

          MIID4zCCA2qgAwIBAgIQTZVdIK+FxJ9pJfurfGZfiTAKBggqhkjOPQQDAzCByjEL

          {snip}

          wT8IvzpLFqb3O

          fU7UGztmJOpOzYKvVEqI7+O/OpNjVCF9EjDSMs2ryYGwpxFDe0Vm

            [✔] true

           

           

           

           

          I've sent a request to support to verify and correct the CRL entries for these two certs.

          • 2. Re: CRLs for the certificate chain filter can not be loaded
            michael-s-w

            Hi pcoates,

             

            thanks a lot for sending this problem as a support release. After updating my lists it seems, that there are some changes in the "maintained CertList". Normally every day  at 11:10 h I got the warning-messages, but since yesterday I "miss" the notice. Looks good!

             

            Greetings from

            Michael