Question & Answer
Question
Why am I receiving the following message when using IPSEC on zOS with NSSD with certificates that contain CRL info?
DBG0021I NSS_CERTINFO Certificate revocation list request failed for URL: HTTP://DNSNAME:port/path/filename.crl (Received data is invalid)
Answer
The CRL that NSSD is processing is PEM (BASE64) encoded (text file), which is a direct violation of RFC5280. This type of CRL can not be processed by NSSD ,SSL directly or via ATTLS. If the CRL is (PEM) BASE64 encoded, it will contain a header of '-----BEGIN X509 CRL-----' and a tail of '-----END X509 CRL-----'. The CRLs should be encoded using BER or more specifically DER encoding as required by RFC5280
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
28 February 2019
UID
dwa1495154