How to get Certificate Revocation list (CRL) from VeriSign.
3 years ago
Originally Published: 2001-02-20
Article Number
000061461
Applies To
SMIME-C 2.0
SMIME-C
VeriSign OnSite
Issue
How to get Certificate Revocation list (CRL) from VeriSign.
Resolution
Use the following Perl script to download CRL from VeriSign:

# This script reads CRL's from the VeriSign directory server and populates them
# to another local directory.  The CRL stored in the VeriSign directory server is
# an X509 version.

# Configure this script to match your environment.
# Then run it from the command line to test it.
# When testing is complete, you may want to set it up as an "at" job.

# Point this to the directory containing the Netscape command line ldap tools.
# Your system may have them in a different location.
system("cd c:\\netscape\\server4\\shared\\bin");

system("echo Reading CRL from VeriSign directory server");

# Put the DN of the CRL you are downloading from VeriSign in this command, and
# place the CRL in a temp directory.  This example uses the Sales department of
# XYZ Corporation.  It also references the VeriSign Pilot backend.  All Pilot
# accounts will add an extra ou field containing "For Test Purposes Only".  The
# cn and o fields used are standard for both the Pilot and Production backends,
# and will be the VeriSign jurisdiction data for your OnSite account.  The
# production directory is located at directory.verisign.com.
system("ldapsearch -b \"cn=Sales, ou=For Test Purposes Only, o=XYZ Corporation\" -h pilotldap.verisign.com objectclass=pkiCA certificaterevocationlist;binary >c:\\verisign\\temp\\crl.txt");

system("echo Formatting CRL");

# The DN contained in the CRL files may not match the DN of the CRL in the
# customer's directory server (the customer can store the CRL wherever they like).
# If they are the same, do not execute this portion of the script.  These lines
# modify the CRL file to match the DN of the entry in the customer's directory
# server.  Sales
open (INFILE, "c:\\verisign\\temp\\crl.txt");
open (OUTFILE, ">c:\\verisign\\temp\\crl.ldif");

while ($line = <INFILE>)
{
        if ($line =~ /^dn/)
        {
                print OUTFILE "dn: ou=Sales CA CRL,o=XYZ Directory\n";
                print OUTFILE "changetype: modify\nreplace:certificaterevocationlist;binary\n";
        }
        else
        {
                print OUTFILE $line;
        }
}
        
# Put the correct bind dn and password here (must have write access).  The host
# needs to be customized also.  For this example, the host is directory.xyz.com,
# the bind dn is "cn=Directory Manager" and the password is "password".
system("echo Updating CRL into directory server");

system("ldapmodify -h directory.xyz.com -D \"cn=Directory Manager\" -w password -f c:\\verisign\\temp\\crl.ldif");

Use the following command line LDAP query to get CRL from VeriSign.
(This example uses the Sales department of XYZ Corporation.  This is for a VeriSign Class 2 CA. The cn and o fields used are standard for both the Pilot and Production backends, and will be the VeriSign jurisdiction data for your OnSite account. The production directory is located at directory.verisign.com.)

"ldapsearch -h directory.verisign.com -b "CN = Sales, OU = Class 2 CA - OnSite Individual Subscriber, OU = Terms of use at https://www.verisign.com/RPA (c)00, OU = VeriSign Trust Network, O = XYZ" -s sub "certificaterevocationlist" >latestcrl.txt"

The CRL will be downloaded to a file called latestcrl.txt.

Workaround
Need to download CRL from VeriSign for application.

Related Articles

Trending Articles

Don't see what you're looking for?