Regards the last point on CDP's - jim - have you ever got IE to correctly check the CRL from the CDP even with this enabled in the settings?
I have my CA's CDP pointing at a location on my web server and IE seems to totally ignore it! Dean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ohaya Sent: 23 August 2004 10:40 AM To: [EMAIL PROTECTED] Subject: Re: How to check server's SSL certificate on client? Liam Escario wrote: > > Hi Peter, > > You mentioned: > > >So, when the PKI client in my (for example) web browser connects to > >your IIS server, my web browser's PKI client will connect to the > >Certifying Authority URL that you specified when you created your SSL > >certificate > > what do you mean the client will connect to the CA URL specified when > you created the SSL cert? I thought the client will connect to the URL > specified in the "Common Name" when I created the SSL cert. I don't > think I specified a URL when I create my CA... I just gave it a name > in the "Common Name" field (like: "My CA" or whatever). > > Hi, Apologies for dropping in on this thread, but I don't have the impression that a client will 'normally' actually connect to the CA to verify the server cert. Instead, I believe what happens is that the client should have the CA's root cert, which has the public key for the CA, and the client can then use that key to authenticate the server cert (e.g., by checking the digital signature of the server cert). That's why sometimes when you connect to a server, you get a popup with a warning that the server is "not trusted" ==> you don't have the CA's root cert. Once the server cert has been authenticated thusly, then I think most clients (e.g., IE and Netscape) will check to see if the host name in the server cert matches the hostname in the URL that was used, and if not the same, will popup a warning message. The only time I'm aware of a client connecting to the server cert CA would be if (1) the server cert has a CDP, pointing to the location of the CA's CRL, AND (2) if the client is enabled to check CRLs. For example, IE normally has CRL checking disabled, so it doesn't check whether server certs have been revoked. You can enable it in Advanced Settings, and then it is suppose to check for revoked server cert. Jim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
