|
Posted by Brian Komar [MVP] on November 7, 2005, 5:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Answers and comments inline...
taddub@yahoo.co.uk says...
> Hi All
>=20
> Please bear with me as I'm not a network person but this is the problem
> we have:
>=20
> We have a web server running IIS 6.0 behind a firewall. On this server
> we have a secure (https://whatever) web site that has a certificate
> from Verisign, which is valid.
>=20
> Last week we put Verisign=E2=A4=3D3Fs IP address into the firewall so the=
web
> server could check the revoked list on verisign.com -
> http://SVRIntl-crl.verisign.com/SVRIntl.crl. The web site worked and
> everything was good =EF=81=A6
>=20
> Now however, the website is not working and bringing up the following
> error =EF=81=BC:
>=20
> HTTP Error 403.13 - Forbidden: Client certificate has been revoked on
> the Web server.
IT actually appears that the certificate you published at your Web=20
server is revoked by Verisign. This message would only appear if the=20
serial number of your certificate appears in the certificate revocation=20
list. If there was a problem connecting to the verisign web site, the=20
issue would be a "could not determine revocation status" error.
>=20
> I have talked to the network lads and they said nothing had changed but
> when they did some more digging they found that Verisign=E2=A4=3D3Fs IP A=
ddress
> had changed at the DNS server. So when the certificate tries to get to
> the revoked list on verisign.com, it can=E2=A4=3D3Ft get through the fire=
wall
> as the IP Address is not listed in the list of IP=E2=A4=3D3Fs allowed to =
get
> through. And the network lads say we can=E2=A4=3D3Ft authorise domains on=
the
> firewall, it has to be IP Addresses and Verisign are a high level
> domain (or something) and they can change their IP Address whenever
> they want???
>=20
Not sure what they are saying here. Again, it looks like you did=20
successfully download a CRL.
> I hope I have explained the situation correctly, like I say I=E2=A4=3D3Fm=
not a
> network person so I=E2=A4=3D3Fm learning as much as I can as I go along.
>=20
> So my question is, how do I get my web server to see verisign.com
> without opening the whole server to the internet, for obvious security
> reasons, so it can see the revoked list on verisign.com using only IP
> Addresses?
>=20
You need to either place the box so that it is beyond your firewall, or=20
allow access to DNS and HTTP from the Web server to any part of the=20
internet (or keep updating as verisign moves their IP address).
> Any and all help would be gratefully received.
>=20
> Tad
>=20
>=20
| 
XML site map