Skip to main content


Showing posts from May, 2013

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

Windows CRL caching

By default, both downloaded CRLs and OCSP responses are cached by a Windows client. If a time-valid version of the CRL or OCSP response exists in the cache, the client will use the cached version rather than downloading an updated CRL or submitting a new OCSP request.  Caching related configuration is defined in the following registry hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\ CertDllCreateCertificateChainEngine\Config A binary value of:  ChainCacheResyncFiletime  defines when cache will be cleared.  Force the cache to be cleared: c:\> certutil –setreg chain\ChainCacheResyncFiletime @now Force the cache to clear in 1 hour: c:\> certutil –setreg chain\ChainCacheResyncFiletime @now+0:1 View current cache life time config: c:\>  certutil –getreg chain\ChainCacheResyncFiletime