At the end of March 2023, the EC introduced Commissign-2 PKI to provide the EC service certificates (*.*.testa.eu) used on the Testa network, the CRLs for these certificates now can be verified on the Testa network.
The issue mentioned below has been solved since.
As presented on the TWG on January 23, 2023
- In September 2022 Latvia informed EUCARIS Operations about certificate related issues with ProDriveNet on the acceptance environment.
- The revocation of the new certificate could not be checked.
- Latvia opened their connection from the acceptance server to the internet which solved the issue.
- At this point we were aware of the EC providing the certificates from a new PKI (Commissign).
- The CRL (Certificate Revocation List) of this PKI is not available via Testa network (only via Internet).
- In similar situation for the previous Telesec PKI EUCOP provided a workaround (a CRL reroute via hosts file to EUCOP).
- Configuring the same workaround for the Commissign CRL’s would introduce a problem with the OCSP (Online Certificate Status Protocol) service.
- For the services to work we advise for the broker configuration to not enable CRL checking for Commissign certificates
- One important security design element of Testa and EUCARIS is the separation from internet.
- Manager EUCARIS Operations has raised a complaint with the EC to enable CRL and OCSP checking via Testa (ongoing).