Environment
Novell eDirectory 8.8 SP7
Novell iManager 2.6
PKI/Certificate Server Plugin
Situation
Using the Certificate Server
Plugin in Novell iManager 2.6 to verify an external certificate
throws the following error:
ERROR: Invalid: CRL
Decode Error
LAN traces show that the HTTP
server hosting the CRL (Certificate Revocation List) indicated in
the certificate returns an HTTP 302 (URL Moved Temporarily)
error.
Attempts to access the URL
for the Certificate Revocation List using Mozilla Firefox or
Internet Explorer are successful and the .crl file can be
downloaded successfully.
Resolution
The Certificate Server Plugin is not currently enabled to handle
the HTTP 302 error. Therefore, it does not try and access the CRL
from the new location provided by the HTTP server and results
in a validation failure for this certificate. An enhancement
request has been filed for PKI Engineering to investigate this
issue.
The certificate itself can still be used by the Novell Web Server. Browsers will still check that it's been signed by a Digicert Certificate Authority. Therefore, the user won't get a message that the certificate is from an site that's not trusted. In addition, all http requests over SSL will still work correctly.
The certificate itself can still be used by the Novell Web Server. Browsers will still check that it's been signed by a Digicert Certificate Authority. Therefore, the user won't get a message that the certificate is from an site that's not trusted. In addition, all http requests over SSL will still work correctly.
Status
Reported to EngineeringAdditional Information
6/2/09 - Added information in the resolution section that the cert is still good.