[Mono-bugs] [Bug 346536] X509Certificate2 does not consider google certificate valid

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Fri Dec 14 15:39:37 EST 2007


https://bugzilla.novell.com/show_bug.cgi?id=346536

User spouliot at novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=346536#c11





--- Comment #11 from Sebastien Pouliot <spouliot at novell.com>  2007-12-14 13:39:36 MST ---
ok, while *online* isn't yet supported, it can works if it finds a local copy
of the CRL installed (same for offline). This means that I can get everything
working with the original source code if the configuration is right.

GOOGLE CERT VALID: True
CHAIN VALID: True
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, S=California, C=US
===
Subject: CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
===
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.",
C=US
===
True


This requires to
(a) changes to machine.config for MD2 (see previous comments)
(b) downloading the intermediate CA CRL (URL is available in the google cert)
    wget http://crl.thawte.com/ThawteSGCCA.crl
(c) install the CRL into the CA store
    certmgr -add -crl CA c:\temp\ThawteSGCCA.crl
(d) downloading the root CA CRL (URL is available inside the Thawte cert)
    wget http://crl.verisign.com/pca3.crl
(e) install the CRL into the Trust store
    certmgr -add -crl Trust c:\temp\pca3.crl

Once you know the url it's possible to create a script to update them, since
they have an expiration date.

Don't you love PKIX simplicity ? I can't imagine the joys of the full x.509
feature set ;-)


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.


More information about the mono-bugs mailing list