2 Replies Latest reply on Jul 30, 2013 6:40 AM by Mahesh_Krishnan

    Adobe LiveCycle Revocation Check with TrustAssured Cards and 3Skey.

    Mahesh_Krishnan Level 1

      Any pointers to do a revocation check for TrustAssured and 3SKey CA' would be highly appreciated.

       

      Already tried cases;

       

      TrustAssured type: OCSP Checks for Revocations.

      3SKey: CRL based Revocation Checks.

       

      Updated the Root and Intermediate CA's to the TrustStore.

      Tried Signing the OCSP requests. No luck. Getting a value Trouble for Revocation Checks.

        • 1. Re: Adobe LiveCycle Revocation Check with TrustAssured Cards and 3Skey.
          N Santosh Kumar Adobe Employee

          Mahesh,

           

          Have you checked that there is no network issue in connecting to CRL or OCSP server from the system on which revocation check is being done?

           

          You can check server logs for more information.

           

           

          --Santosh

          • 2. Re: Adobe LiveCycle Revocation Check with TrustAssured Cards and 3Skey.
            Mahesh_Krishnan Level 1

            Santhosh,

             

            Thanks for your response. I hope the issue with OCSP responder is with the transport of URL through Proxy and is now asked to be enabled. I get a 500: Transport error in the Logs for TrustAssured keys.

             

            However, for 3Skey, the Revocation happens in a different manner. I read through the API's of SWIFT 3Skey stating that the revocation happens for 3Skey using two ways;

             

            1. Using Partitioned CRL's

            2. Using Combined CRL's.

             

            I have also configured the SSL certificate on my IHS for 3Skey SSL handshake.

             

            For an ALC specific solution, we are going with Combined CRL's for 3Skey and dont know what configuration change I need to be making to do a successful revocation check on these type of CA's. How do I call the Combined CRL from ALC? Any specific change that I need to make in the request parameters for hitting the SignatureService?

             

            <ser:CRLOptionSpec> 

                       <ser:LDAPServer />
                      <ser:alwaysConsultLocalURL>false</ser:alwaysConsultLocalURL>
                      <ser:goOnline>true</ser:goOnline>
                      <ser:ignoreValidityDates>false</ser:ignoreValidityDates>
                      <ser:localURI />
                      <ser:requireAKI>true</ser:requireAKI>
                       <ser:revocationCheckStyle>AlwaysCheck</ser:revocationCheckStyle>

            </ser:CRLOptionSpec>

             

            Cheers

             

            Mahesh Krishnan