IBM Support

Why am I receiving message DBG0021I NSS_CERTINFO Certificate revocation list request failed?

Question & Answer


Question

Why am I receiving the following message when using IPSEC on zOS with NSSD with certificates that contain CRL info?

DBG0021I NSS_CERTINFO Certificate revocation list request failed for URL: HTTP://DNSNAME:port/path/filename.crl (Received data is invalid)

Answer

The CRL that NSSD is processing is PEM (BASE64) encoded (text file), which is a direct violation of RFC5280. This type of CRL can not be processed by NSSD ,SSL directly or via ATTLS. If the CRL is (PEM) BASE64 encoded, it will contain a header of '-----BEGIN X509 CRL-----' and a tail of '-----END X509 CRL-----'. The CRLs should be encoded using BER or more specifically DER encoding as required by RFC5280

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
28 February 2019

UID

dwa1495154