|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
.NET 2.0, X509Certificates and CRL CheckHi
Is it possible to check a certificate against the CRL with the new X509Certificates class in .NET 2.0?? So that I know if the certificate is revoked or not still valid... Thanks Dominik Zemp Hi,
yes - use a X509Chain object and set the appropriate flags - then call Build() --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi > > Is it possible to check a certificate against the CRL with the new > X509Certificates class in .NET 2.0?? So that I know if the certificate > is revoked or not still valid... > > Thanks > Dominik Zemp Hi Dominick
Thank you for your answer. But, which flags do I need to set? Will the CRL be cached locally, when I use the X509Chain to check the certificate against the CRL? Thanks Dominik Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hi, > > yes - use a X509Chain object and set the appropriate flags - then call Build() > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi > > > > Is it possible to check a certificate against the CRL with the new > > X509Certificates class in .NET 2.0?? So that I know if the certificate > > is revoked or not still valid... > > > > Thanks > > Dominik Zemp > > > Hi,
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; chain.ChainPolicy.VerificationTime = DateTime.Now; i think they are cached.... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi Dominick > > Thank you for your answer. But, which flags do I need to set? Will the > CRL be cached locally, when I use the X509Chain to check the > certificate against the CRL? > > Thanks > Dominik > "Dominick Baier [DevelopMentor]" wrote: > >> Hi, >> >> yes - use a X509Chain object and set the appropriate flags - then >> call Build() >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi >>> >>> Is it possible to check a certificate against the CRL with the new >>> X509Certificates class in .NET 2.0?? So that I know if the >>> certificate is revoked or not still valid... >>> >>> Thanks >>> Dominik Zemp Hi Dominick
Sooo... I've just tested it and here's my results: - first, I've deleted all cached CRL's with the command 'certutil -urlcache * delete' - then I started the .NET application.... - when I select a certificate, where the Issuing CA is installed (Trusted Root Authorities), then the CRL will be cached (I can see the crl with the command 'certutil -urlcache CRL') and the application tells me that the Element certificate is valid (=true) - when I select a certificate, where the Issuing CA isn't installed locally, then the CRL won't be cached (I can't see the CRL, but the 2 Windows Update CRL's are downloaded) and the certificate isn't valid (=false) But why is that so?? Do I need to install the certificate from the Issuing CA?? Thanks and Regards Dominik Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hi, > > chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; > chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; > chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); > chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; > chain.ChainPolicy.VerificationTime = DateTime.Now; > > i think they are cached.... > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi Dominick > > > > Thank you for your answer. But, which flags do I need to set? Will the > > CRL be cached locally, when I use the X509Chain to check the > > certificate against the CRL? > > > > Thanks > > Dominik > > "Dominick Baier [DevelopMentor]" wrote: > > > >> Hi, > >> > >> yes - use a X509Chain object and set the appropriate flags - then > >> call Build() > >> > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >>> Hi > >>> > >>> Is it possible to check a certificate against the CRL with the new > >>> X509Certificates class in .NET 2.0?? So that I know if the > >>> certificate is revoked or not still valid... > >>> > >>> Thanks > >>> Dominik Zemp > > > hi,
> But why is that so?? Do I need to install the certificate from the why is what? the the CRL is not cached OR that the cert is not valid?> Issuing CA?? you need the issuing CA cert installed locally for validation to be successful. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi Dominick > > Sooo... I've just tested it and here's my results: > > - first, I've deleted all cached CRL's with the command 'certutil > -urlcache > * delete' > - then I started the .NET application.... > - when I select a certificate, where the Issuing CA is installed > (Trusted > Root Authorities), then the CRL will be cached (I can see the crl with > the > command 'certutil -urlcache CRL') and the application tells me that > the > Element certificate is valid (=true) > - when I select a certificate, where the Issuing CA isn't installed > locally, > then the CRL won't be cached (I can't see the CRL, but the 2 Windows > Update > CRL's are downloaded) and the certificate isn't valid (=false) > But why is that so?? Do I need to install the certificate from the > Issuing CA?? > > Thanks and Regards > Dominik > "Dominick Baier [DevelopMentor]" wrote: > >> Hi, >> >> chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; >> chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; >> chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); >> chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; >> chain.ChainPolicy.VerificationTime = DateTime.Now; >> >> i think they are cached.... >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi Dominick >>> >>> Thank you for your answer. But, which flags do I need to set? Will >>> the CRL be cached locally, when I use the X509Chain to check the >>> certificate against the CRL? >>> >>> Thanks >>> Dominik >>> "Dominick Baier [DevelopMentor]" wrote: >>>> Hi, >>>> >>>> yes - use a X509Chain object and set the appropriate flags - then >>>> call Build() >>>> >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Hi >>>>> >>>>> Is it possible to check a certificate against the CRL with the >>>>> new X509Certificates class in .NET 2.0?? So that I know if the >>>>> certificate is revoked or not still valid... >>>>> >>>>> Thanks >>>>> Dominik Zemp Hi
> why is what? the the CRL is not cached OR that the cert is not valid? hmm.....ok, I will test this tomorrow in my test lab (with the installed both! :-) Iussuing CA cert) Thanks and Regards Dominik PS: Auf Deutsch wäre es eigentlich schon viel einfacher! ;-) Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > hi, > > > But why is that so?? Do I need to install the certificate from the > > Issuing CA?? > > why is what? the the CRL is not cached OR that the cert is not valid? > > you need the issuing CA cert installed locally for validation to be successful. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi Dominick > > > > Sooo... I've just tested it and here's my results: > > > > - first, I've deleted all cached CRL's with the command 'certutil > > -urlcache > > * delete' > > - then I started the .NET application.... > > - when I select a certificate, where the Issuing CA is installed > > (Trusted > > Root Authorities), then the CRL will be cached (I can see the crl with > > the > > command 'certutil -urlcache CRL') and the application tells me that > > the > > Element certificate is valid (=true) > > - when I select a certificate, where the Issuing CA isn't installed > > locally, > > then the CRL won't be cached (I can't see the CRL, but the 2 Windows > > Update > > CRL's are downloaded) and the certificate isn't valid (=false) > > But why is that so?? Do I need to install the certificate from the > > Issuing CA?? > > > > Thanks and Regards > > Dominik > > "Dominick Baier [DevelopMentor]" wrote: > > > >> Hi, > >> > >> chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; > >> chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; > >> chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); > >> chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; > >> chain.ChainPolicy.VerificationTime = DateTime.Now; > >> > >> i think they are cached.... > >> > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >>> Hi Dominick > >>> > >>> Thank you for your answer. But, which flags do I need to set? Will > >>> the CRL be cached locally, when I use the X509Chain to check the > >>> certificate against the CRL? > >>> > >>> Thanks > >>> Dominik > >>> "Dominick Baier [DevelopMentor]" wrote: > >>>> Hi, > >>>> > >>>> yes - use a X509Chain object and set the appropriate flags - then > >>>> call Build() > >>>> > >>>> --------------------------------------- > >>>> Dominick Baier - DevelopMentor > >>>> http://www.leastprivilege.com > >>>>> Hi > >>>>> > >>>>> Is it possible to check a certificate against the CRL with the > >>>>> new X509Certificates class in .NET 2.0?? So that I know if the > >>>>> certificate is revoked or not still valid... > >>>>> > >>>>> Thanks > >>>>> Dominik Zemp > > > > i think they are cached.... Yep, this is true. the CRL will be cached... Dominik Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hi, > > chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; > chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; > chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); > chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; > chain.ChainPolicy.VerificationTime = DateTime.Now; > > i think they are cached.... > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi Dominick > > > > Thank you for your answer. But, which flags do I need to set? Will the > > CRL be cached locally, when I use the X509Chain to check the > > certificate against the CRL? > > > > Thanks > > Dominik > > "Dominick Baier [DevelopMentor]" wrote: > > > >> Hi, > >> > >> yes - use a X509Chain object and set the appropriate flags - then > >> call Build() > >> > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >>> Hi > >>> > >>> Is it possible to check a certificate against the CRL with the new > >>> X509Certificates class in .NET 2.0?? So that I know if the > >>> certificate is revoked or not still valid... > >>> > >>> Thanks > >>> Dominik Zemp > > > 
Other interesting topics
HOWTO Run CASPOL for full trust on UserControl.
Running application in local intranet DirectorySecurity and ACLs Security exception while opening an OleDBConnection CAS exception - crash verify write permission to a folder CAPICOM within .NET how to get the Process Username when "runas /netonly" Can't logon on withthe login control using SQL Server 2005 AzMan - AccessCheck in ASP.NET |
|||||||||||||||||||||||
