Forcing OCSP instead of CRL

Similar Messages

• PKI Design - ocsp vs delta CRLs, separating CRL hosting from issuing CAs

  Hi,
   I'm giving my PKI environment bit of an overhaul. I have a 2 tier PKI with an offline root CA which serves around 2000 clients - a lot of mobile device certificates are used. I'm not using delta CRLs and currently my issuing CA is also the publishing
  point for AIA and CDP information. I'm thinking of making the following changes:
  1. Use separate web servers to host the CRL and AIA files rather than placing them directly on the issuing CA, I'm then thinking of disabling IIS on the issuing CA for security reasons. The only downside to this I can see is that I'll lose web enrollment
  functionality - is there a way around this?
  2. I currently don't use delta CRLs (AIA and CRL files are around 9.5 KB), I'm wondering whether it'd be worthwhile to use them or go a step further with OCSP? Although I am keen to not over engineer the solution.
  3. If I add another issuing CA, presumably there's no way they can share the same DB? 
  Cheers

  > The only downside to this I can see is that I'll lose web enrollment functionality - is there a way around this?
  starting with Windows Server 2008 you can install web enrollment on a separate computer. During service install you will be prompted to specify CA server to associate. Also, web enrollment is outdated and very limited. Try to avoid it if possible.
  > I currently don't use delta CRLs (AIA and CRL files are around 9.5 KB), I'm wondering whether it'd be worthwhile to use them or go a step further with OCSP?
  Based on your current CRL size, you will not get any benefits from OCSP, so you can postpone its deployment until it is necessary (when your CRL becomes much larger). Keep things simple.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• A QUICK QUESTION ABOUT ANYCONNECT THIRD PARTY CA WITH OCSP RESPONDER.

  Hi guys,
  i have successfully implemented anyconnect with a third party ca server (EBJCA) and CRL for revocation checking.
  Now i want to implement OCSP instead of CRL.
  I followed this document:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml
  In this document it is mentioned that :
  Configure OCSP
  Configure OCSP Responder Certificate
  The OCSP configuration can vary dependent upon the OCSP responder       vendor. Read the manual of the vendor for more information.
  Obtain a self-generated certificate from the OCSP             responder ?
  Follow the procedures mentioned previously and install a             certificate for the OSCP server.
  Note: Make sure that revocation-check is set to none.                 OCSP checks do not need to happen on the actual OCSP server.
  1- My question is how to generate a self signed certificate from OCSP ?
  2- If we are not able to get a self signed certificate from OCSP Responder, is there any other work arround ?
  3- last why we use certificate mapping rule for OCSP certificate mentioned in the DoD's document.
  feel free to share your views.

  > does the client (e.g. clients using CAPI/CAPI2) also check the "Third-Party Root Certification Authorities" X509 store or do the Certs in this logical store also reside (get copied to) the "Third-Party Root Certification Authorities"
  X509 store
  yes. Trusted Root CAs container is an aggregated container for all trusted root CAs (for natively trusted CAs and for Root Certification Program members).
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Difference between common-httpclient 3.0 and httpclient 4.0

  Hi,
  I am using SSL communicaiton between client and server machine.The JDK version is 1.6.0_19.I am using HttpClient 4.0 now.I used common-Httpclient 3.0 earlier. The client and the server both are having the certificate.Here we are doing mutual authentication sending the certificate to each other.
  If I use the command -Djavax.net.debug=all command I am able to see the detail client and server communicaiton.I wanted to know, what are the destination server it is reaching and that's why I have used wireShark.I have seen a difference here.If I use common-httpclient 3.0 component then it is reaching the verisign site to import the CRL.But if I use httpclient 4.0 then it is not reaching the verisign site.It might be reaching the verisign site for the CRL check.
  I know internally it is using the JSSE component.
  Here are my questions :
  I like to know why this difference is happening?
  Is the httpclient initiate CRL checking?
  Howcan I initiate the OCSP  instead of CRL check using the httpclient and the JSSE?
  how could I check the detail log?
  I like to know based on what condition the application is reaching the verisign site(means CRL checking).
  Please help me out.

  Hi Subba reddy,
  Check this link for PI differencess
  https://wiki.sdn.sap.com/wiki/display/XI/PI%207.1%20Components%20and%20its%20features%20over%20XI%202.0,XI%203.0,PI%207.0
  Regards
  Ramesh

• Audio Video Content created in 10.6 Downloads instead of Plays Back

  I have a situation where all content created in 10.6 will download instead of playing back with a browsers plug-in. That includes, mp3s (mp3s created with Logic) and all types of common video formats - DivX avi's, mp4's, mov's.
  I have tested on Safari, Opera and Firefox in 10.6, Safari in 10.4, and on Windows Vista with Google Chrome.
  It appears there is something common with 10.6 that cuases these problems - I would very much like to know what it is and how to resolve it.
  So that you can test it for yourself, the website is:
  www.rohanstevenson.com
  /TV and Film Demos
  In the mp3 demos, most of the contect was created in 10.5 and plays back ok. But "Nightmares and the Sidh" was created in the latest logic version on 10.6 and in safari, it won't play unless you move the slider forward very slightly, or copy and paste the URL into quicktime or VLC. In Firefox, it will download even if you ask it to playback using the plug-in. In Opera it will ask you for the plug-in and it will playback in the browser there. In Safari OS 10.4 and in Vista Gogle Chrome it will download no matter what.
  In the Movie Demos, most of them were updated and will automatically download instead of playing back in the browser. However:
  Dragon's Demand, and Fanny Hill - The Sonnet, were created in previous OS's and do playback properly (ie they don't download) in all the browsers.
  The movies that download may have been created in 10.6 or not, but even the ones that were not were edited (cut out) using Quicktime Pro 7.6  recently in 10.6 and they download and do not playback. That is to say, anything that has had any editing done and therefore saved with an application in 10.6, or were created directly in 10.6 force downloads instead of playing back in browsers in the manner described above.
  Help!
  N.B. the website was made with iWeb, but I don't think that is the problem, I think there is some header information in the files that stop them from being properly recognized.

  there's been a number of long & short threads with similar problems, I think some even had the same content-type yet still misbehaved on some servers (an OS update or two ago, so some things might be fixed)
  One poster at least thought that 10.6 created files were ok, but not if changed by iTunes (I think it was that, anyway); I never found a way to present the files on all servers that always worked, although using embed or something other than a direct link seemed to solve it in some cases w/o needing any end-user wiggling.
  I'm sure that people must create/publish ok, but a number fetch up here saying that 10.6 won't play the results.
  In case you've not seen it - Safari-Develop-Show Web Inspector-Resources-Headers shows what Safari gets as content-type, you can alter user agent & see if it changes. Sites like web-sniffer.net do it too.

• Forced return, non-breaking hyphens & spaces, suppress hyphenation + XML

  Forced return (linefeed), non-breaking hyphens and spaces, suppress hyphenation.
  None of these are preserved when exporting from FrameMaker to XML, since they do not seem to be represented by a Unicode code point. My question to you is: How do you deal with those things in XML?
  The last issues (non-breaking and suppress hyphen) have recently been brought up in:
  http://forums.adobe.com/thread/450363
  http://forums.adobe.com/thread/459503
  Forced return is a common thing in many FrameMaker documents to improve readability of certain phrases.
  For export of FM to XML, there have been proposals to use a special element with a prefix just to capture the special FrameMaker symbol. It works, and may be a valid useful path in certain cases, but I think that it is a questionable way of dealing with it for several reasons:
  It is only relevant for roundtrip, since these special elements will hardly be interpreted by other XML tools, which of course limits the value of XML export.
  It is unwieldy, to say the least, to require the user to insert special elements for saying simple things that otherwise are just natural key strokes in the regular text flow, and which are not perceived as structural elements of information. Most users would think of these symbols/charactes as control characters, and there is no validation warning that says you may not use these characters/symbols.
  An element is used for formatting purposes only, whereas all other elements are used for content or structure.
  There is no automatic way of transforming an existing text that has these "symbols" into some special element when a document is structured with a conversion table.
  There is no automatic way of transforming a structured FM document to XML such that these special "symbols" get translated to some suitable XML construct.
  If the last point could be solved, i.e if all those control characters or markers could automatically be translated to a suitable XML representation, then I would consider the whole issue as solved, otherwise not.
  Even without FrameMaker, how do people deal with these things in "pure xml". For instance, when XML is used for publishing (which I know Arnis Gubins is doing), there will guaranteed be a need to control both hyphenation and line breaks. So how do you (they) do that?
  How do other vendors cope with these issues, e.g XPP?

  Lynne,
  As anyone can see, entity declarations have not really been in the domain of my expertise (understatement), but I might just learn bits and pieces...
  Thanks! I have now done some more reading in various pdfs, such as scructapps etc, but also the w3c xml spec, all of which I have "read" before, but reading is not always the same as understanding...
  I now have used the "entity approach" to make both discretionary hyphen and suppress hyphen work, so that it is represented in the XML export and round-trips just fine.
  Forced return still puzzles me somewhat though: I have a working solution for that using the same entity approach, but it will not work for text ranges (although it is a bit odd to have forced returns in text range elements). Moreover, I am not certain that it really is the best way. In reading other posts on this issue, I have seen that some people want forced returns to really be linefeeds in the xml output, with no other linefeeds, and conversely, when importing xml that are "formatted" in lines, such as code, they want to preserve that.
  One  way to achieve that is to use:
       reader line break is forced return;
       writer line break is 1000 characters;  (or more characters)
  Then it is completely symmetric (i.e works also if some other app has generated the xml with intentional line breaks. And this method is global for all elements, and it works for me.
  Another way to achieve this is to use the following, but it is only valid inside an element:
       preserve line breaks;
       writer line break is 1000 characters;
  Then it is also completely symmetric (in the above sense), and it works for me.
  The latter method has the drawback that it only works for text in the element; it is not inherited to its children.
  But if we look at only one element, what is the difference between the two methods?
  As far as I have been able to see, the results are identical! Why two methods? The first one seems more powerful and general(?)
  Scrutinizing the documentation though, it says that 'preserve line breaks' will add an attribute 'xml:space', but I can't see that in my output?
  Also, concerning the documentation for line break, it says that FM would ignore line breaks when exporting, but it does NOT do that (fortunately). Forced returns always result in linefeeds, no matter what.
  I would be thankful if these issues could be explained, or elaborated.
  Also, would you recommend against any of these methods?
  With my preferred method of using the global 'reader line break is forced return' instead of a local (or many local) 'preserve line breaks', there is of course the danger that when importing xml, it is absolutely necessary that the xml really only has line breaks where they are intended, and not generated every 80 characters or so!
  Is there anything that says it is "ugly" or "bad style" to honor line breaks, and generate long lines?
  Finally, why do we need to limit the number of characters written in one line these days? Why 80, why 1000, why not an unlimited number of characters!?
  Will software these days really crash if given a very long line (assuming that it doesn't exceed total ram memory of course)?
  Sorry about so many questions, but I can't find any answers to them in the docs I have read and searched.

• Physical standby without ALTER DATABASE FORCE LOGGING

  Hi,
  Is it possible to use physical standby database without executing ALTER DATABASE FORCE LOGGING on primary side?
  Can I use alter tablespace force logginng instead?
  I want to have one tablespace with nologging option turned on to reduce redo traffic for some operations.
  I can not check this because I don`t have enough servers to build standby configuration.

  YuriAP wrote:
  Hi,
  Is it possible to use physical standby database without executing ALTER DATABASE FORCE LOGGING on primary side?
  YES
  Can I use alter tablespace force logginng instead?
  YES
  ALTER TABLESPACE <tablespace name> FORCE LOGGING;
  I want to have one tablespace with nologging option turned on to reduce redo traffic for some operations.
  I can not check this because I don`t have enough servers to build standby configuration.http://download.oracle.com/docs/cd/B10500_01/server.920/a96521/create.htm#1022863

• How can I validate a signature using OCSP?

  I need to manage signed PDF documents. It was very easy to create a java prog to create and sign a PDF document (using itext).
  I use the certificate from my Belgium Identity card for signature. Fine.
  My problem is when reading the sign document.
  On most PC, I see the signature with a yellow question mark (identity of the signer is unknown) which is not fine.
  On some PC, when the signed document is opened, I see a real time connection to "http://ocsp.eid.belgiulm.be" and the signature appears with a green check which is very fine. That what I want.
  What 'and how) are the required configuration to force this OCSP check?
  I am using Adobe Reader 9 (v 9.4.1)
  Thanks

  The validation is currently done on both PC. That not the problem.
  But on the first one, the validation fails because the "Identity of the signer is unknown"
  On my second PC, the validation is done using OCSP (I see a realtime connection to "ocsp.eid.belgium.be") resulting in a successfull validation.
  I would like TO FORCE OCSP VALIDATION on both PC. But I have no idea on how to force this OCSP validation. By chance, it happens on the first PC but I do not know why?

• Oracle Hint on Table MKPF and MSEG : force index MSEG~M to be utilize

  Hi Experts, I'm quite new to ABAP performance tuning, I try to put details as much as I can in my question below, just to have a quick overview of my problem below, I want to use/force in my SQL below to force the utilization of index MSEG~M.
  added an Oracle Hint forcing index MSEG~M
    SELECT MATNR BWART MENGE
    FROM   MKPF
    INNER JOIN MSEG
       ON MKPFMANDT EQ MSEGMANDT
      AND MKPFMBLNR EQ MSEGMBLNR
      AND MKPFMJAHR EQ MSEGMJAHR
     INTO CORRESPONDING FIELDS OF TABLE T_MSEG2
    WHERE MKPF~BUDAT IN S_GSTRP    "(index bud should be used)
     AND  MSEG~MJAHR IN R_DOCYEAR
     AND  BWART IN ('931', '932',
                    '901', '902',
                    '701', '702',
                    '703', '704',
                    '707', '708',
                    '711', '712',
                    '713', '714',
                    '715', '716',
                    '717', '718',
                    '551', '552',
                    '553', '554',
                    '555', '556') "ZZCHK: Constants Not Applicable
           AND  MATNR IN R_MATNR3
           AND  MATNR IN R_COMPNTS
           AND  WERKS EQ P_WERKS
    %_hints oracle u2018INDEX(u201CMKPFu201D u201CMSEG~Mu201D)u2019.
  Note: I'm assuming that you'll take not some comments on further enhancement:
  - " INTO CORRESPONDING FIELDS "
  - use of field symbols
  - I didn't modify it yet since my focus if for MSEG~M
  - cannot make material number as mandatory field
  Objective: Force to use index MSEG~M
  Problem:
  After adding the Oracle Hint, I did the analysis in ST05 and it seems like index M is still not being forcefully
  utilize instead MSEG~0 is being used.
  I replaced the Oracle Hint with:
    %_hints oracle u2018INDEX(u201CT_01u201D u201CMSEG~Mu201D)u2019.
  In ST05, I can get see that index MSEG~M is now being utilize BUT worst thing happened after applying this, the program timed out.
  I already take a look on the following Notes: 129385, 130480, 772497, 162034, 818321 but nothing seems to be helpful in my problem.
  Questions:
  1.  In syntax %_hints oracle u2018INDEX(u201CT_01u201D u201CMSEG~Mu201D)u2019. T_01 stands for MKPF right which is the first table, do you what's the reason for the program time out after adding this Oracle Hint?  Is this the proper syntax?
  2.  How can I force in my code to use index MSEG~M without any program timeout?
  For the whole source code of my question above, please see the link:
  http://rapidshare.com/files/211740852/ZDXX0028.txt.html

  Hi Thomas, thanks with the prompt reply (even if it's Saturday )
  Yes, MKPF~BUD is being used.
  The budat selection is narrowed to 28 days though users can input any date range, a warning message will just be displayed if budat selection exceeded.
  Yes, optimizer usually chooses the right index; I'm not in as the same experience as you are though, but I find it interesting that after I added the Oracle hints (several combination) the performance of the program was optimize up to 40% to 50%.
  I uploaded a detailed SQL trace and the ABAP change done in my program, if you'll notice in the summary of the changes, after adding some hints, the duration of the program was improved..
  (SQL Trace Summary of my program) this worth taking a look
  http://rapidshare.com/files/211870091/ZD28_SQL_Trace.zip.html
  I made a custom index in MSEG, but unfortunately I doubt that it will be approve by our performance capacity team.  But I somehow have a hunch that this will further optimize the program.
  MSEG~Z03
  MANDT     Client
  WERKS     Plant
  BWART     Movement Type (Inventory Management)
  LGORT     Storage Location
  What do you think Thomas and SAP experts?
  **Sorry for pasting the whole ST05 result
       SELECT STATEMENT          ( Estimated Costs = 131.250 , Estimated #Rows = 450 )
                      6          FILTER
                      Filter Predicates
                      5          NESTED LOOPS
                      ( Estim. Costs = 131.249 , Estim. #Rows = 450 )
            Estim. CPU-Costs = 1.885.249.948 Estim. IO-Costs = 129.700
                      2          TABLE ACCESS BY INDEX ROWID          MKPF
                      ( Estim. Costs = 14.442 , Estim. #Rows = 288.570 )
                 Estim. CPU-Costs = 206.401.140 Estim. IO-Costs = 14.272
                 1          INDEX RANGE SCAN          MKPF~BUD
                      ( Estim. Costs = 655 , Estim. #Rows = 519.426 )
            Search Columns: 2
            Estim. CPU-Costs = 30.640.783 Estim. IO-Costs = 630
            Access Predicates          Filter Predicates
                      4          TABLE ACCESS BY INDEX ROWID          MSEG
                      Estim. CPU-Costs = 5.818 Estim. IO-Costs = 0
            Filter Predicates
            3          INDEX RANGE SCAN          MSEG~0
                 Search Columns: 3     
       Estim. CPU-Costs = 1.564 Estim. IO-Costs = 0
       Access Predicates          Filter Predicates

• One USB Port not Working Properly on MacBook Pro 3,1

  I have an older macbook 3,1 running Mavericks OS and recently one of my left USB ports has not been:
  1) able to eject external hard drives plugged into it (I have to force eject)-instead it gives me a message that one or more programs may be using it (even though I don't have any programs using it).  The hard drive is being powered by USB has a 3.0 connection although this wasn't a problem in the past... I tried the other USB port and it can eject just fine from that port.
  2)Intermittent communication with mouse.
  Not sure if this is a hardware issue but when I try to run diagnostics on this laptop by holding down the "D" key at startup it doesn't take me to diagnostics. I no longer have the discs for this laptop (containing said hardware test) so I can't boot the diagnostics from that discs. In lieu of a hardware test I opened CONSOLE and did a search for USB and there were a couple of these messages:
  8/29/14 12:13:43.000 AM kernel[0]: **** [IOBluetoothHostControllerUSBTransport][SuspendDevice] -- Suspend -- suspendDeviceCallResult = 0x0000 (kIOReturnSuccess) -- 0xdc00 ****
  Is this a logic board issue? Would rolling my OS back to pre-Mavericks work? The problem didn't emerge right when I updated to Mavericks however I have had luck changing OS stuff (updating or rolling back) with faulty USBs...
  Here are other troubleshooting methods I have attempted with no success:
  -Disk Utlity (repair disk and permissions)
  -RESET PRAM NVRAM
  -Remove battery
  -RESET SMC
  -Shut Down
  -Run Disk Utility @ startup
  I'd love to get access to a Hardware Test compatible with my macbook. The links I have found online are to incomplete files. If someone @ Apple could send some Hardware diagnostics tool my way via a disk image that would be perfect.

  Did you boot into Recovery or try & run OS X Utilities, to attempt a test?
  Depending on the computer, that may be your best bet, short of taking
  the computer to an Apple Store with Genius bar; or to an AASP who is
  trained in Apple repair & testing services.
  A replacement of original install restore DVD with the correct AHT on
  a bootable DVD, could be obtained by contacting Apple support or
  the main online Apple sales, or applecare; there would be a fee.
  They'd need to know the Serial Number and product info, and you'd
  have to provide a form of payment in order to get replacement discs;
  and if the computer is way too old, those may be harder to get now.
  The main system tools could be installed in Recovery partition.
  And Ms Sammit may have answered this.
  Good luck & happy computing!
  edited

• My Mail icon wont open when i click it

  At first it would let me recive my emails now it recives it  just wont open. Help please

  That's an easy one to fix. If Mail won't let you quit, use Force Quit instead. Then, perform the sync and download the software that's needed on your device.
  This is not an uncommon problem, and Force Quit is a safe option in this case.

• EMC - Certificate status could not be determined because revocation check failed.

  I've exhausted my resources on this issue and am reaching out for some assistance. I have setup Server 2008 R2 Enterprise SP1, running Exchange 2010 SP1. In EMC I have successfully imported a GoDaddy SSL certificate. Although I am receiving the message -
  "The certificate status could not be determined because the revocation check failed."
  Here are the steps I've taken to troubleshoot this so far:
  [PS] C:\Users\Administrator\Desktop>netsh winhttp show proxy
  Current WinHTTP proxy settings:
  Direct access (no proxy server).
  As you can see, direct access. Which is true, no proxy's on this network.
  For good measure, I'll dump the urlcache.
  certutil -urlcache ocsp delete
  certutil -urlcache crl delete
  Both return 0, reboot server.
  Comes back up, same message in EMC.
  From PS, I test exactly what its getting from GoDaddy.
  [PS] C:\Users\Administrator\Desktop>certutil -f -urlfetch -verify mail.fluxlabs.net.crt
  Issuer:
  SERIALNUMBER=07969287
  CN=Go Daddy Secure Certification Authority
  OU=http://certificates.godaddy.com/repository
  O=GoDaddy.com, Inc.
  L=Scottsdale
  S=Arizona
  C=US
  Subject:
  CN=mail.fluxlabs.net
  OU=Domain Control Validated
  O=mail.fluxlabs.net
  Cert Serial Number: 27b60918638e0d
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=S
  cottsdale, S=Arizona, C=US
  NotBefore: 8/20/2011 7:49 PM
  NotAfter: 8/20/2012 7:16 PM
  Subject: CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Serial: 27b60918638e0d
  SubjectAltName: DNS Name=mail.fluxlabs.net, DNS Name=www.mail.fluxlabs.net
  33 49 57 5d 6e d8 6b aa b9 61 73 95 44 07 c9 2e 55 6e 47 10
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
  ---------------- Certificate CDP ----------------
  Expired "Base CRL (05)" Time: 4
  [0.0] http://crl.godaddy.com/gds1-55.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com/
  CRL (null):
  Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  e5 53 19 6c 54 87 8c 62 23 1b b9 11 e1 d8 3d 3f b2 04 77 3f
  Issuance[0] = 2.16.840.1.114413.1.7.23.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 8:54 PM
  NotAfter: 11/15/2026 8:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=
  Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  Verified "Base CRL" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gdroot.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com
  CRL (null):
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  da 1e d5 63 5c 05 58 50 4e db d2 4e e8 9d 28 9d c4 36 b3 1e
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 12:06 PM
  NotAfter: 6/29/2034 12:06 PM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  Exclude leaf cert:
  b1 04 4b 90 a1 d3 48 de 46 bd d7 50 20 e3 44 b8 3f 68 39 f7
  Full chain:
  68 36 4d 37 2e 96 bd d2 aa 77 3f d0 e8 78 a9 e6 68 bd 7d 71
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was
  offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.
  As you can see, the "revocation server is offline."
  So I run the same test from another server on the LAN.
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.
  It passes. The server's firewall has been disabled. DNS cache has been cleared. I have verified everything I can, and still failing to verify.

  [PS] C:\Users\Administrator\Desktop>Get-ExchangeCertificate |fl
  AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Acces
  trol.CryptoKeyAccessRule}
  CertificateDomains : {mail.fluxlabs.net, www.mail.fluxlabs.net}
  HasPrivateKey : True
  IsSelfSigned : False
  Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy
  , Inc.", L=Scottsdale, S=Arizona, C=US
  NotAfter : 8/20/2012 7:16:57 PM
  NotBefore : 8/20/2011 7:49:30 PM
  PublicKeySize : 2048
  RootCAType : ThirdParty
  SerialNumber : 27B60918638E0D
  Services : IMAP, POP, IIS, SMTP
  Status : RevocationCheckFailure
  Subject : CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Thumbprint : 3349575D6ED86BAAB96173954407C92E556E4710
  [PS] C:\Users\Administrator\Desktop>Enable-ExchangeCertificate -Thumbprint 3349575D6ED86BAAB96173954407C92E556E4710 -Services POP,IMAP,SMTP,IIS
  The command has already been executed. Yes, I have seen those sites. Neither have worked. Like I said, it is directly connected; and no proxies are set.
  -- Jeremy MCSpadden Flux Labs

• IBook's failt to wake from sleep.

  I've had an ongoing issue with two late '05 model iBook G4's that occasionally do not wake from sleep. I've documented that in an earlier post Titled "Topic: Waking from sleep requires Forced Shut Down on two different g4 iBooks,"
  http://discussions.apple.com/thread.jspa?threadID=337599&tstart=15
  The problem continues, and appears to have increased in frequency since the last OS update, although I can not say that with certainty, but I have noted a possible correlation between the problem occuring and the Dashboard being open when the computers go to sleep. Is anyone aware of any difficulties involving sleep issues, in particular problems waking up from sleep and the use or operation of the dashboard? The only widgets I use are Radar in motion, weather and ministat2.
  And if anyone has any other asisstance from the previous thread, I would appreciate it.
  ibook G4 1.33ghz 12, 1.42ghz 14   Mac OS X (10.4.2)  
  ibook G4 1.33ghz 12, 1.42ghz 14   Mac OS X (10.4.2)  

  You may have missed it above, but resetting the PMU:
  http://docs.info.apple.com/article.html?artnum=14449
  may resolve your problems regarding the iBook not waking properly from sleep. The Power Management Unit has control over the sleep function, so resetting it often helps when someone is having this trouble.
  Every time you have to do a forced shutdown instead of a normal one, there is a chance of hard drive damage and you should repair the hard drive, either by booting into Safe Mode or starting up from the Mac OS X Install Disc by inserting the disc and restarting your computer, holding down the C key at the end of the startup chime. Then choose Installer > Open Disk Utility (in Panther) or Utilities > Disk Utility (in Tiger) and select the hard drive in the left column. Choose the First Aid tab. Click Repair Disk to test and repair the hard drive. Once you have repaired the hard drive with either Safe Mode or the Install disc's Disk Utility, then start up normally and repair permissions from Disk Utility in the Utilities folder on your hard drive.

• Laptop will NOT Shutdown after a hard drive installation

  We have been rebuilding a Pismo from scratch basically. The last part was the hard drive which we did yesterday. It too awhile to get the computer to boot up but when it did it worked perfectly - or so we thought. After replacing all the contents of a broken iBook (cloned backup), we used it for a while and things worked fine. Unfortunately, it will not shutdown. Using shutdown ... it closes all the files and then just sits there with the desktop open. Tried several things and it just won't shut off. Any ideas?

  Hi, and welcome to Apple Discussions.
  Are you talking about the Pismo not shutting down? Or an iBook?
  Have you tried forcing a shutdown by holding down the power button for 5-10 seconds? This is how to force an iBook to shut down.
  Every time you have to do a forced shutdown instead of a normal one, there is a chance of hard drive damage and you should repair the hard drive, either by booting into Safe Mode OR by starting up from the Mac OS X Install disc by inserting the disc and restarting your computer, holding down the C key as the startup chime is ending. Then click 'Next' at the language screen and choose Utilities > Disk Utility and select the hard drive in the left column. Choose the First Aid tab. Click Repair Disk to test and repair the hard drive.
  Once you have repaired the hard drive with either Safe Mode or the Install disc's Disk Utility, then start up normally and repair permissions from Disk Utility in the Utilities folder on the hard drive.
  If it continues to have problems shutting down, you may want to try resetting the PMU.
  Good luck.

• Digital Signatures and Encryption in Yosemite Mail

  After upgrading to Yosemite, I am having difficulty using the Mac Mail app to send digitally signed and encrypted email.
  Before the upgrade to Yosemite, I was able to send signed and encrypted emails using certificate/keys in my keychain using both the Mac Mail app and Microsoft Outlook 2011 for Mac.
  After upgrading, I am still able to send signed and encrypted message in Outlook, but the Mac Mail app gives the following error when I attempt to send a signed email:
  'You don’t have a trusted certificate in your keychain that matches the email address “XXXX@XXXX”. Without a certificate, you can’t sign messages sent from this address.'   (Actual name replaced)
  When I look at my certificates in my keychain, a certificate is available with "Usage: Digital Signature" that has the email address from the error message "XXXX@XXXX" with exact case in the RFC 822 Name.
  Another interesting piece of data that might help track this down is that when I first launch the Mac Mail application, the Mac Mail application is able to successfully decrypt emails that have been previously sent encrypted to me.  HOWEVER, after I attempt to send an email and get the "You don’t have a trusted certificate..." error message, these emails are no longer able to be decrypted.  I get the "Unable to decrypt message" header above the message and the content of the message is just a "smime.p7m".  If I close the mail application and restart it, these encrypted message are once again decrypt-able until I attempt to send a message.
  It almost seems like things are working until mail tries to access the keychain.
  I have attempted to delete my certificate and keys from my keychain and then adding those items again.
  I have attempted to close the mail application and reopen it.
  I have attempted to reboot my computer.

  1.  I want to confirm that this is still an issue for me in 10.10.1 and mail Version 8.1 (1993)
  2.  I have another data point.
  At my office I have wired networking and wireless networking available.  Primarily I utilize the wired networking for access to network drives, etc.
  When using the wired networking, I experience all the problems that have been catalogued in this thread.  Can't sign, can't encrypt, can't close the compose window after the mail program fails to find my certificate.
  However, when I switch to wireless networking before starting the mail application, digital signatures and encryption seem to work!  This is pretty weird behavior.  Make sure to restart mail if you were previously wired.
  Here are some theories:
  Something to do with OCSP?  When I am wired vs wireless I am on different ip subnets and subject to different firewall rule sets.  Perhaps OCSP is trying to determine the status of the certificate and failing? 
  Here are some things I have tested:
  I switched to a different official apple brand thunderbolt to ethernet adapter with no change in behavior
  I disabled wireless and disconnected my wired network.  So no network access at all.  Signatures and encryption work!  The message obviously does not send, but it appears in my outbox and I don't get the signature error.  When I reconnect my wired cable, the message sends successfully and appears as encrypted in my sent folder!
  I have attempted to disable OCSP by using "Keychain Access --> Preferences --> Certificates Tab --> OCSP (OFF) and CRL (OFF)" but this hasn't made a difference in the behavior of wired networking.
  Ran a TCPDUMP on traffic to the OCSP service but didn't see any traffic when I attempted to send a message and received the signature error
  I am pretty stumped on this.  This is very odd behavior
  Does anyone else experience this behavior?