2 Replies Latest reply on Nov 1, 2009 7:57 AM by Kris De Swert

    Use Trust Store CRL offline

    Kris De Swert



      I'm trying to use a CRL I imported into Trust Store offline. According to a response to another post on these forums (see http://forums.adobe.com/thread/448766) you should put the CRL distribution point uri into the "Local URI for CRL Lookup" in order to make LC pick up the CRL from the Trust Store. However, when I run the sample I created (and which I've put) as attachment to this discussion, LC keeps telling me he doesn't find a valid CRL.


      any ideas?




      PS: The 2 certificates must be put into Trust Store's certificates list, the crl file into Trust Store's crl list. The pdf in attachment can be used to test the process.

        • 1. Re: Use Trust Store CRL offline
          SForrest96 Level 4



          I did some testing, and I believe that I got "Local CRL" checking to work.  When I tested with your files (specifically the CRL you posted) LiveCycle would generate an error (see below) and the Signer Status (found in the PDFSignatureVerificationResult object would come back "UNKNOWN" (expected when Revocation checking fails)


          2009-10-29 13:37:08,873 WARN  [com.adobe.livecycle.signatures.pki.client.PKIException] ALC-DSS-310-042 Issuers do not match (in the operation : verifyCRLIssuerAndScope)
          2009-10-29 13:37:08,873 WARN  [com.adobe.livecycle.signatures.pki.revocation.crl.CRLRevChecker] Got a CRL checking exception. Continuing with next CRL
          ALC-DSS-310-042 Issuers do not match (in the operation : verifyCRLIssuerAndScope)


          NOTE:  If I tested with online CRL checking enabled, the SignerStatus would come back "TRUSTED"





          I downloaded a more recent CRL, (see screen shot CRLDownload.gif) imported it into the Trust Store, tested with my own simple process and it worked.


          In my process, I configured the "CRL Option Spec" properties (found in the Advanced section) as follows (I also attached a screen shot - CRL_Properties.gif):


          Consult Local URI First - DISABLED  (I believe this setting references the file system, not the Trust Store)

          Local URI for CRL Lookup - BLANK  (I believe this setting references the file system, not the Trust Store)

          Revocation Check Style - Always Check

          LDAP Server - BLANK

          Go Online for CRL Retrieval - DISABLED

          Ignore Validity Dates - ENABLED

          Require AKI extension in CRL - DISABLED


          I imported the CRL I downloaded into the Trust Store.  I set the Alias vallue to "HTTP://CRL.EID.BELGIUM.BE/BELGIUM.CRL" (this matches the CRLdp specified in the "Citizen CA.cer" certificate (see screen shot CRLConfig_TrustStore.gif) (the other two certs, Belgium Root CA and the signer use OCSP for revocation checking)



          Hope this helps.


          1 person found this helpful
          • 2. Re: Use Trust Store CRL offline
            Kris De Swert Level 1



            Your solution did not work for my case, but it did certainly put me on the way to the solution.

            I saw I had forgotten to include the CRL of the "Citizen CA" certificate in the Trust Store. (my trust store, now looks like the one in attached screenshot)


            I've tried your solution, but that kept hitting me with the "No valid CRL found error" (i.e. <statusMessage>ALC-DSS-112-015: No Valid CRL found</statusMessage>). 

            LC gives you this error because it doesn't find a CRL that matches the CRL distribution point "HTTP://CRL.EID.BELGIUM.BE/EIDC200711.CRL".


            So, basically i've used your solution and added the eidc200711.crl with alias "HTTP://CRL.EID.BELGIUM.BE/EIDC200711.CRL" in the Trust Store.


            kind regards,




            PS: Did you took your machine offline and waited until the CRL cache on your machine expired when you tested your solution? (if you don't wait for that, your process will use the cached online crl instead of the Trust Store)