Certificate Revocation Update Options
This content describes how to configure PAM to regularly check that SSL certificates are still valid.
3-4
Certificate Authorities revoke SSL certificates when they detect an issue with the associated identity or that the certificate key has been compromised. The CA then publishes that information so that certificate users can stop using those revoked certificates.
This content describes how to configure PAM to regularly check that its security certificate is still valid using one of the following methods:
- Regularly downloading the latest Certificate Revocation List (CRL): Some CAs provideCRL Distribution Pointsfrom which you can periodically download the latest list of certificates that have been revoked.
- Query an Online Certificate Status Protocol (OCSP) Server (or: OCSP is a dynamic alternative to CRLs. OCSP enables an application or browser to query the Certificate Authority for the revocation status of a certificate each time a connection is established.responder)
If your certificate is revoked, request a new certificate from the CA and apply it to all of your PAM servers.
2
Obtain CRL Distribution Point and OCSP Server Information From a Certificate
If necessary, use this procedure to obtain CRL Distribution Point or OSCP server information from the Certificate properties.
Obtain Information From a Certificate on Windows
Follow these steps:
- in Windows Explorer, navigate to the certificate file and open it.ACertificatedialog opens.
- Select theDetailstab.
- To find details of availableCRL Distribution Points, select the corresponding entry in the top list and take note of the URL or URLs in the lower panel.

- To find out if the CA provides an OCSP server, do the following steps:
- Select theAuthority Information Accessentry in the top panel.
- Note whether a URL is provided in the lower panel. You do not need to copy the URL.
Obtain Information From a Certificate on UNIX
To obtain information from a certificate on a UNIX system, enter the following command:
openssl x509 -incertificate_file.cer -text
Configure PAM to Automatically Download the Latest CRL
Use this procedure if your CA directs you to periodically download its latest CRL from a CRL Distribution Point.
Follow these steps
:- On theConfiguration,Security,Certificatespage, select theCRL Optionstab.
- ForType, select "Use CRL."
- ForCRL Type, select "Automatically Download CRLs."
- In theURLstext box, enter one or more URLs for CRL servers, one per line.
- ForTime, select a frequency for checking the CRL server.
Configure PAM to Query An OCSP Server For Revoked Certificates
Use this procedure if your CA directs you to query an OCSP server for revoked certificates.
Follow these steps:
- On theConfiguration,Security,Certificatespage, select theCRL Optionstab.
- ForType, selectUse OCSP.
- All other options are disabled. The appliance automatically contacts the OCSP server regarding the specific certificate when it is used.
The
When Revocation Information is Unavailable
option is available whether you download CRLs automatically, manually, or you use OCSP. To use
When Revocation Information is Unavailable
, select an option from the drop-down list to determine whether a user with the certificate has access to PAM. The default is Allow User Access
. With this mode, a user with the certificate is allowed access to PAM even though the revocation information that is related to that certificate is unavailable or not accessible. The other mode is Deny User Access
. This mode denies access to PAM when revocation information is unavailable or not accessible.The following table describes different conditions and the behavior that is associated with them when the "Allow User Access" or "Deny User Access" option is selected:
Condition | Deny User Access (Security Safe Mode) | Allow User Access (Operationally Safe Mode) | Comments |
Expired Certificate | N/A | N/A | Authentication fails. |
Self-Signed V3 X509 Certificate | N/A | N/A | Authentication fails as Self-Signed Certificates are no longer supported. |
Expired CA | N/A | N/A | Authentication fails. |
Revoked CA | N/A | N/A | Authentication fails. |
CRL present, but the list is empty. | N/A | N/A | Authentication succeeds as there is nothing to revoke. |
No CRL present for the issuer of the certificate. | Certificate authentication fails. A CRL must be present and can be with an empty revocation list. | Certificate authentication succeeds. | |
CRL expired for the issuer of the certificate. | Certificate authentication fails immediately. No checks are made to determine if the certificate is in the revocation list. | Certificate authentication proceeds and checks are made to determine if the certificate is in the revocation list. If found in the list, the certificate authentication fails or else succeeds. | |
Automatic CRL download fails. | Certificate authentication fails for the URLs that failed to download as CRLs associated with the URL that failed are cleaned up. (Equivalent to "No CRL present for the Issuer of the cert" condition.) | Certificate authentication succeeds or fails, depending on the already existing CRL information. If the automatic download fails, no CRLs are cleaned up. | |
No OCSP URI information available in the certificate | Certificate authentication fails. OCSP URI information must be present in the certificate and in all the certificates in the certificate chain. | Certificate authentication succeeds. | |
Cannot connect to OCSP URI. | Certificate authentication fails. | Certificate authentication succeeds. |
View CRL Information
Certificate Revocation List
tab on the Configuration
, Security
, Certificates
page.
This option only appears if smartcard authentication is enabled for use with CRLs.
When populated with CRLs, the
Certificate Revocation List
tab displays the following fields for each certificate:- Issuer
- Next Update(or note when it Expired)
- StatusS = Stable, P = Processing, D = Downloading, I = Initial, F = Fail
- File Name(if applicable)
- Distribution Point(optional)
- Fail ReasonIf a CRL failure produces an error message, it is shown here.For example:There is an invalid CRL file:filename