000025526 - How to get Certificate Revocation list (CRL) from VeriSign.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025526
Applies ToSMIME-C 2.0
SMIME-C
VeriSign OnSite
IssueHow to get Certificate Revocation list (CRL) from VeriSign.
ResolutionUse the following Perl script to download CRL from VeriSign:

# This script reads CRL's from the VeriSign directory server and populates them
# to another local directory.  The CRL stored in the VeriSign directory server is
# an X509 version.

# Configure this script to match your environment.
# Then run it from the command line to test it.
# When testing is complete, you may want to set it up as an "at" job.

# Point this to the directory containing the Netscape command line ldap tools.
# Your system may have them in a different location.
system("cd c:\\netscape\\server4\\shared\\bin");

system("echo Reading CRL from VeriSign directory server");

# Put the DN of the CRL you are downloading from VeriSign in this command, and
# place the CRL in a temp directory.  This example uses the Sales department of
# XYZ Corporation.  It also references the VeriSign Pilot backend.  All Pilot
# accounts will add an extra ou field containing "For Test Purposes Only".  The
# cn and o fields used are standard for both the Pilot and Production backends,
# and will be the VeriSign jurisdiction data for your OnSite account.  The
# production directory is located at directory.verisign.com.
system("ldapsearch -b \"cn=Sales, ou=For Test Purposes Only, o=XYZ Corporation\" -h pilotldap.verisign.com objectclass=pkiCA certificaterevocationlist;binary >c:\\verisign\\temp\\crl.txt");

system("echo Formatting CRL");

# The DN contained in the CRL files may not match the DN of the CRL in the
# customer's directory server (the customer can store the CRL wherever they like).
# If they are the same, do not execute this portion of the script.  These lines
# modify the CRL file to match the DN of the entry in the customer's directory
# server.  Sales
open (INFILE, "c:\\verisign\\temp\\crl.txt");
open (OUTFILE, ">c:\\verisign\\temp\\crl.ldif");

while ($line = <INFILE>)
{
        if ($line =~ /^dn/)
        {
                print OUTFILE "dn: ou=Sales CA CRL,o=XYZ Directory\n";
                print OUTFILE "changetype: modify\nreplace:certificaterevocationlist;binary\n";
        }
        else
        {
                print OUTFILE $line;
        }
}
        
# Put the correct bind dn and password here (must have write access).  The host
# needs to be customized also.  For this example, the host is directory.xyz.com,
# the bind dn is "cn=Directory Manager" and the password is "password".
system("echo Updating CRL into directory server");

system("ldapmodify -h directory.xyz.com -D \"cn=Directory Manager\" -w password -f c:\\verisign\\temp\\crl.ldif");
Use the following command line LDAP query to get CRL from VeriSign.
(This example uses the Sales department of XYZ Corporation.  This is for a VeriSign Class 2 CA. The cn and o fields used are standard for both the Pilot and Production backends, and will be the VeriSign jurisdiction data for your OnSite account. The production directory is located at directory.verisign.com.)

"ldapsearch -h directory.verisign.com -b "CN = Sales, OU = Class 2 CA - OnSite Individual Subscriber, OU = Terms of use at https://www.verisign.com/RPA (c)00, OU = VeriSign Trust Network, O = XYZ" -s sub "certificaterevocationlist" >latestcrl.txt"

The CRL will be downloaded to a file called latestcrl.txt.
WorkaroundNeed to download CRL from VeriSign for application.
Legacy Article IDa858

Attachments

    Outcomes