Certificate Validation Cluster Properties

The following cluster properties configure the settings used in the Manage Certificate Validations task and for expiration checking.
gateway92
The following cluster properties configure the settings used in the Manage Certificate Validations task and for expiration checking.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
pkix.crl.cacheExpiryAge
Expiration time for LDAP and HTTP caches used by Certificate Revocation Lists (CRL) . Value is a time unit.
Default:
5m
pkix.crl.defaultExpiryAge
Expiration time for Certificate Revocation Lists (CRL) if the CRL does not have one. The expiry age refreshes the list. Value is a time unit.
Default:
1h
pkix.crl.maxExpiryAge
Maximum expiration time for a Certificate Revocation List (CRL). This value is used if the CRL's expiry age is greater than what is defined by this cluster property. Value is a time unit.
Default:
7d
pkix.crl.maxSize
Maximum size for a Certificate Revocation List (CRL). A value of zero indicates unlimited size.
Default:
1048576
pkix.crl.minExpiryAge
Minimum expiration time for a CRL. This value is used if the CRL's expiration is less than what is defined by this cluster property. Value is a time unit.
Default:
1h
If the minimum expiration time is used, the
Layer7 API Gateway
may be using a stale CRL.
pkix.crl.invalidateCrlCacheOnNextUpdate
Invalidates the Certificate Revocation List on next update time that is embedded in the CRL. Value is a Boolean.
Default:
false
pkix.crl.skipSerialNumberCheckForRevocationCheck
Skips comparing the serial numbers of identical certificates in a trusted store to avoid CRL failure. Value is a Boolean.
Default:
false
pkix.crl.validateCrlBeforeCacheUpdate
Set this property to
true
to validate the CRL with issuer key before updating the cache. Value is a Boolean.
Default:
false
pkix.csr.defaultExpiryAge
Certificate expiration time on the CSR server. Used for internal users without a configured expiry time, or for certificates issued for LDAP users.
Default:
730
(days)
pkix.keyUsage
Controls X.509 key usage. Values are:
  • IGNORE
    : Accepts and uses certificates for purposes other than for what they were designated to be used.
  • ENFORCE
    : Uses certificates only for their stated purposes, as described in the "Key usage" and "Ext. key usage" sections in the [
    Details
    ] tab of a certificate's properties. For details, see "Certificate Expiration Notification" in Manage Certificates. If a certificate does not contain key usage or extended key usage information marked as critical, the certificate is treated as if all possible usages are enabled (the same as the 'IGNORE' setting).
Default:
ENFORCE
Requires a
Layer7 API Gateway
restart for changes to take effect.
pkix.keyUsagePolicy
Overrides the default key usage policy. A long XML string defining a key usage enforcement policy. For details, see "Recognized Action Names" in Key Usage Enforcement Policy.
Default: <empty> (system default policy is used)
pkix.ocsp.defaultExpiryAge
Cache time for Online Certificate Status Protocol (OCSP) responses. Specifies how long an OCSP response is retained for an individual certificate validation attempt before discarding it and retrieving a new one. Value is a time unit.
Default:
1m
(used if the OCSP response does not include its own expiry age)
pkix.ocsp.maxExpiryAge
Maximum expiration for a cached OCSP response. Used if the OCSP response's expiration is greater than what is defined by this cluster property. Value is a time unit.
Default:
15m
pkix.ocsp.minExpiryAge
Minimum expiration for a cached OCSP response. Used if the OCSP response's expiration is less than what is defined by this cluster property. Value is a time unit.
Default:
1s
pkix.ocsp.useNonce
Controls whether to include a nonce in the OCSP requests to protect against replay attacks. Value is a Boolean.
Default:
true
Set this property to "false" if the OCSP checking server does not support Nonce. To verify that Nonce is supported, look for the "id-pkix-ocsp-nonce" field in the extensions section of the OCSP request and response.
pkix.permittedCriticalExtensions
Extensions for validating certificates. The value is a list of entity IDs, separated by spaces.
Default: <empty>
pkix.validation.identityProvider
Validation method for identity provider certificates. You can also set this property using Manage Certificate Validation.
  • validate
    = Validate that the certificate is valid and trusted.
  • validatepath
    = Validate that the certificate path is valid to a trust anchor.
  • revocation
    = Validate the certificate path and perform a revocation check using the revocation checking policies.
Default:
validate
pkix.validation.other
Validation method for all certificates except for identity provider and routing. You can also set this property using Manage Certificate Validation. See
pkix.validation.identityProvider
for a description of each setting.
Default:
validate
pkix.validation.routing
Validation method for certificates used by the server for routing (i.e., HTTPS, FTPS). You can also set this property using Manage Certificate Validation. See
pkix.validation.identityProvider
for a description of each setting.
Default:
validate
trustedCert.expiryCheckPeriod
Time to wait between successive trusted certificate expiry checks. Value is a time unit. For details, see "Certificate Expiration Notification" under Manage Certificates.
Default:
12h
trustedCert.expiryFineAge
Time before the Gateway logs a FINE audit event for a trusted certificate. Value is a time unit.
Default:
30d
trustedCert.expiryInfoAge
Time before the Gateway logs an INFO audit event for a trusted certificate. Value is a time unit.
Default:
7d
trustedCert.expiryWarningAge
Time before the Gateway logs a WARNING audit event for a trusted certificate. Value is a time unit.
Default:
2d