Certificate Revocation Update Options

This content describes how to configure PAM to regularly check that SSL certificates are still valid.
3-4
Certificate Authorities revoke SSL certificates when they detect an issue with the associated identity or that the certificate key has been compromised. The CA then publishes that information so that certificate users can stop using those revoked certificates.
This content describes how to configure PAM to regularly check that its security certificate is still valid using one of the following methods:
  • Regularly downloading the latest Certificate Revocation List (CRL)
    : Some CAs provide
    CRL Distribution Points
    from which you can periodically download the latest list of certificates that have been revoked.
  • Query an Online Certificate Status Protocol (OCSP) Server (or
    responder
    )
    : OCSP is a dynamic alternative to CRLs. OCSP enables an application or browser to query the Certificate Authority for the revocation status of a certificate each time a connection is established.
If your certificate is revoked, request a new certificate from the CA and apply it to all of your PAM servers.
2
Obtain CRL Distribution Point and OCSP Server Information From a Certificate
If necessary, use this procedure to obtain CRL Distribution Point or OSCP server information from the Certificate properties.
Obtain Information From a Certificate on Windows
Follow these steps:
  1. in Windows Explorer, navigate to the certificate file and open it.
    A
    Certificate
    dialog opens.
  2. Select the
    Details
    tab.
  3. To find details of available
    CRL Distribution Points
    , select the corresponding entry in the top list and take note of the URL or URLs in the lower panel.
  4. To find out if the CA provides an OCSP server, do the following steps:
    1. Select the
      Authority Information Access
      entry in the top panel.
    2. Note whether a URL is provided in the lower panel. You do not need to copy the URL.
Obtain Information From a Certificate on UNIX
To obtain information from a certificate on a UNIX system, enter the following command:
openssl x509 -in
certificate_file
.cer -text
Configure PAM to Automatically Download the Latest CRL
Use this procedure if your CA directs you to periodically download its latest CRL from a CRL Distribution Point.
Follow these steps
:
  1. On the
    Configuration
    ,
    Security
    ,
    Certificates
    page, select the
    CRL Options
    tab.
  2. For
    Type
    , select "Use CRL."
  3. For
    CRL Type
    , select "Automatically Download CRLs."
  4. In the
    URLs
    text box, enter one or more URLs for CRL servers, one per line.
  5. For
    Time
    , select a frequency for checking the CRL server.
Configure PAM to Query An OCSP Server For Revoked Certificates
Use this procedure if your CA directs you to query an OCSP server for revoked certificates.
Follow these steps:
  1. On the
    Configuration
    ,
    Security
    ,
    Certificates
    page, select the
    CRL Options
    tab.
  2. For
    Type
    , select
    Use OCSP
    .
  3. All other options are disabled. The appliance automatically contacts the OCSP server regarding the specific certificate when it is used.
Configure What to Do If Certificate Revocation Information Is Unavailable
The
When Revocation Information is Unavailable
option is available whether you download CRLs automatically, manually, or you use OCSP.
To use
When Revocation Information is Unavailable
, select an option from the drop-down list to determine whether a user with the certificate has access to PAM. The default is
Allow User Access
. With this mode, a user with the certificate is allowed access to PAM even though the revocation information that is related to that certificate is unavailable or not accessible. The other mode is
Deny User Access
. This mode denies access to PAM when revocation information is unavailable or not accessible.
The following table describes different conditions and the behavior that is associated with them when the "Allow User Access" or "Deny User Access" option is selected:
Condition
Deny User Access (Security Safe Mode)
Allow User Access (Operationally Safe Mode)
Comments
Expired Certificate
N/A
N/A
Authentication fails.
Self-Signed V3 X509 Certificate
N/A
N/A
Authentication fails as Self-Signed Certificates are no longer supported.
Expired CA
N/A
N/A
Authentication fails.
Revoked CA
N/A
N/A
Authentication fails.
CRL present, but the list is empty.
N/A
N/A
Authentication succeeds as there is nothing to revoke.
No CRL present for the issuer of the certificate.
Certificate authentication fails. A CRL must be present and can be with an empty revocation list.
Certificate authentication succeeds.
CRL expired for the issuer of the certificate.
Certificate authentication fails immediately. No checks are made to determine if the certificate is in the revocation list.
Certificate authentication proceeds and checks are made to determine if the certificate is in the revocation list. If found in the list, the certificate authentication fails or else succeeds.
Automatic CRL download fails.
Certificate authentication fails for the URLs that failed to download as CRLs associated with the URL that failed are cleaned up. (Equivalent to "No CRL present for the Issuer of the cert" condition.)
Certificate authentication succeeds or fails, depending on the already existing CRL information. If the automatic download fails, no CRLs are cleaned up.
No OCSP URI information available in the certificate
Certificate authentication fails. OCSP URI information must be present in the certificate and in all the certificates in the certificate chain.
Certificate authentication succeeds.
Cannot connect to OCSP URI.
Certificate authentication fails.
Certificate authentication succeeds.
View CRL Information
To view configured Certificate Revocation List (CRL) files and their associated status, select the
Certificate Revocation List
tab on the
Configuration
,
Security
,
Certificates
page.
This option only appears if smartcard authentication is enabled for use with CRLs.
When populated with CRLs, the
Certificate Revocation List
tab displays the following fields for each certificate:
  • Issuer
  • Next Update
    (or note when it Expired)
  • Status
    S = Stable, P = Processing, D = Downloading, I = Initial, F = Fail
  • File Name
    (if applicable)
  • Distribution Point
    (optional)
  • Fail Reason
    If a CRL failure produces an error message, it is shown here.
    For example:
    There is an invalid CRL file:
    filename