Error: Invalid cannot read certificate revocation list
This document (7005790) is provided subject to the disclaimer at the end of this document.
Apache not listening on port 443.
Open or import the .cer file from the 3rd-party certificate provider. In either Firefox or Internet Explorer (IE) it is possible to view the Certification Path which shows the root certificate that the 3rd-party certificate refers to for trust purposes. With the customer's certificate the root certificate was "Equifax Secure Certificate Authority" which is present in major browsers today under the browser's security settings. This root certificate, however, has a Certificate Revocation List which cannot be found because this is the wrong type of certificate. There are two certificates that are valid from Equifax and they are named "Equifax Secure eBusiness CA-1" and "Equifax Secure Global eBusiness CA-1". These are GeoTrust certificates in this example.
The fix was obtained by requesting a new certificate from the proper root certificate from the 3rd-party certificate provider. With this new certificate ConsoleOne and iManager validated the certificate and Apache would start properly.
Although the validation fails using either
ConsoleOne or iManager, it does not necessarily mean that the
certificate will not work provided the customer is willing to
accept lower security. This certificate may be used
provided that clients, e.g. browsers, are either configured
so that they do not check the server
certificate's CRL (less secure) or ignore this type of
CRL DistributionPoint. If you do configure the browser to not
check the CRL, that is less secure and not compliant with RFC
2459/3280 -- See RFC 3280 Section 6.3 and 6.3.3.a. So
it is up to you to decide if this is acceptable for your
Some certificate providers will send a trial certificate to make sure that the customer's system will work with that certificate. This may be a worthwhile option to ensure that certificates are working properly with your system before spending money and possibly having the solution fail because of invalid certificates.
List of Equifax (and other) Trusted Root Certification Authorities. The one highlighted was eventually used to generated a proper certificate. This view is available inside Internet Explorer or Firefox under the certificates section:
Details of the invalid certificate showing the Certificate Revocation List Distribution Points. One way to resolve the error was to have a certificate without this property and whose root certificate (see above) did not have this property.
View of the certification path when opening the 3rd-party certificate. The selected certificate is the 3rd-party certificate and the one above it is the root certificate. In this case the root certificate was not valid for a web server because of its extensions including the CRL Distribution Points property (see above).
A valid CRL DP would look like the following from Entrust; notice how it has a URL referring to the Internet against which a client or server can request validation information for the certificate in question:
Formerly known as TID# 10100089
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7005790
- Creation Date:20-APR-10
- Modified Date:13-FEB-17
Did this document solve your problem? Provide Feedback