Re: [Fed-Talk] CACs and DoD certs on Macs
Re: [Fed-Talk] CACs and DoD certs on Macs
- Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
- From: "Miller, Timothy J." <email@hidden>
- Date: Wed, 28 Nov 2012 13:14:40 +0000
- Thread-topic: [Fed-Talk] CACs and DoD certs on Macs
On 11/21/12 1:18 PM, "David Mueller" <email@hidden> wrote:
>I then went and downloaded the CRL referenced in the certificate and
>parsed
>it with OpenSSL. The CRL indicates that the certificate is indeed revoked
>(serial number 2E). The difference is that OpenSSL prints the serial
>numbers
>in hex, while Safari prints them in decimal. 0x2E = 46.
>The cert has a revocation date of February 20, 2009, but at least one of
>the
>web servers that has this issue has a cert issued on January 25, 2010. Not
>sure what's going on there. Either DoD was issuing certs with a revoked
>CA,
>or something is chaining them incorrectly.
I don't know what CRL you're looking at, but neither DoD CA-21 nor DoD
EMAIL CA-21 has 0x2e listed:
wva-172-31-142-112:Desktop tmiller$ openssl crl -inform DER -text <
DODCA_21.crl | grep -i serial | grep -i 2e$
Serial Number: 5D2E
Serial Number: 01A82E
Serial Number: 01782E
Serial Number: B32E
Serial Number: 016F2E
Serial Number: 013C2E
Serial Number: 016B2E
Serial Number: 01982E
Serial Number: 01672E
Serial Number: 01952E
Serial Number: 01652E
Serial Number: 018F2E
Serial Number: FE2E
Serial Number: 015B2E
Serial Number: 9B2E
Serial Number: 01802E
wva-172-31-142-112:Desktop tmiller$ openssl crl -inform DER -text <
DODEMAILCA_21.crl | grep -i serial | grep -i 2e$
Serial Number: 7A2E
Serial Number: 8B2E
Serial Number: 612E
-- T
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden