Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Submission Summary: 0 pending, 1 declined, 0 accepted (1 total, 0.00% accepted)

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

+ - When SSL Certificate Revocation Lists fail

Submitted by
0x537461746943
0x537461746943 writes "About 1:30am a few customers that use our secure web servers started getting CRL (Certificate Revocation List) verification failed messages. It turns out the CA (certificate authority) we use had an issue with the updating the CRL which caused browsers to fail CRL verification. IE's default for 'Check for server certificate revocation' is off but the CRL that failed was the publishers certificate revocation list (Check for publisher's certificate revocation) which defaults to on for IE. The CA fixed the issue but now we have CRL caching issues. We have to wait for them to expire or tell customers to manually toggle the 'Check for publisher's certificate revocation' setting in IE which seems to force the browser to get the new CRL

We have tried to think of as many failure scenarios as possible over the 12 years that we have operated but this is one that completely slipped by us. We now plan to buy two certificates from different CAs for our critical https web sites. Just in case something happens we can just switch to another certificate that was signed by a different CA. It is not like we used some unknown CA either. We used one of the top CAs out there that have been established for a very long time."

"Mr. Watson, come here, I want you." -- Alexander Graham Bell

Working...