[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP with outlook 2000



Hemlata Ahire wrote:
> 
> I want to use the microsoft cert server to issue a user certificate with a
> CRLDp extension.

You talk about PKIX crlDistributionPoint attribute for X.509v3 certs?

> By default the user certificate has a crldp with a http url and a file url.I
> have made changes in the policy.dll and now i have a LDAP url that points to
> my LDAP server.

Are you sure that the LDAP URL is correct and retrieves exactly the
attribute containing the CRL? Which LDAP server are you using?
Make sure you store all your cert data as DER-encoded BINARY data (not
ASCII, file suffix PEM).

On LDAPv2 servers you have to add suffix ;binary to the attribute name
e.g. certificateRevocationList;binary for storing a CRL.

> When I receive the email signed by this user certificate (REVOKED)
> containing
> the CRLDp extension, the Outlook 2000 says that the certificate is valid
> !!! This is an unexpected behavior. Further there is no sign of an attempt
> to contact my LDAP server ( The logs show no sign of contact )

I'm not sure if Outlook 2000 is even capable of handling LDAP URLs for
retrieving anything. I don't know Outlook 2000 but IMHO M$ IE 4 does not
know anything about LDAP URLs. M$ IE 5 presents a dialogue to the user
for adding the entry to the user's address book and shows the user's
cert if present.
It seems to me that neither M$ IE nor Netscape Communicator knows how to
handle entries with objectClass certificationAuthority and the
attributes certificaterevocationlist;binary etc.

> This implies that Outlook is not evaluating the CRLDp extension in the user
> certificate.

Have you tried putting a HTTP-URL in the X.509v3 extension
crlDistributionPoint and retrieve the data with the correct MIME types?
(M$ IE: application/pkix-crl, NS: application/x-pkcs7-crl).

Ciao, Michael.

P.S.: You might better asking in the OpenSSL forums found under
http://www.openssl.org/.