[strongSwan] OCSP and CRL problem

Tobias Brunner tobias at strongswan.org
Wed Jul 27 15:47:09 CEST 2016


> The serial number of the certificate and the serial number in the OCSP
> request is different. It looks like a bug to me.

Is there _any_ certificate in your PKI with the serial number that was
requested?  Perhaps one that has the same identity as this one?  Or is
this perhaps the verification of e.g. an intermediate CA certificate and
not the end-entity certificate?

> On the other side, the the CDP attribute
> of the certificate also contains HTTP uri for the CRL.

It seems this particular certificate does not actually contain a CDP
with an HTTP URI, otherwise the revocation plugin would have tried it
after fetching from the LDAP URI failed.


More information about the Users mailing list