Certificate Revocation Update Options
This content describes how to configure PAM to regularly check that SSL certificates are still valid.
3-4
Certificate Authorities revoke SSL certificates when they detect an issue with the associated identity or that the certificate key has been compromised. The CA then publishes that information so that certificate users can stop using those revoked certificates.
This content describes how to configure PAM to regularly check that its security certificate is still valid using one of the following methods:
- Regularly downloading the latest Certificate Revocation List (CRL): Some CAs provideCRL Distribution Pointsfrom which you can periodically download the latest list of certificates that have been revoked.
- Query an Online Certificate Status Protocol (OCSP) Server (or: OCSP is a dynamic alternative to CRLs. OCSP enables an application or browser to query the Certificate Authority for the revocation status of a certificate each time a connection is established.responder)
If your certificate is revoked, request a new certificate from the CA and apply it to all of your PAM servers.
Obtain CRL Distribution Point and OCSP Server Information From a Certificate
Obtain CRL Distribution Point and OCSP Server Information From a Certificate
If necessary, use this procedure to obtain CRL Distribution Point or OSCP server information from the Certificate properties.
Obtain Information From a Certificate on Windows
Follow these steps:
- in Windows Explorer, navigate to the certificate file and open it.ACertificatedialog opens.
- Select theDetailstab.
- To find details of availableCRL Distribution Points, select the corresponding entry in the top list and take note of the URL or URLs in the lower panel.
/content/CRLupdateserver.png/_jcr_content/renditions/original)
- To find out if the CA provides an OCSP server, do the following steps:
- Select theAuthority Information Accessentry in the top panel.
- Note whether a URL is provided in the lower panel. You do not need to copy the URL.
Obtain Information From a Certificate on UNIX
To obtain information from a certificate on a UNIX system, enter the following command:
openssl x509 -incertificate_file.cer -text
Configure PAM to Automatically Download the Latest CRL
Use this procedure if your CA directs you to periodically download its latest CRL from a CRL Distribution Point.
Follow these steps
:- On theConfiguration,Security,Certificatespage, select theCRL Optionstab.
- ForType, select "Use CRL."
- ForCRL Type, select "Automatically Download CRLs."
- In theURLstext box, enter one or more URLs for CRL servers, one per line.
- ForTime, select a frequency for checking the CRL server.
Configure PAM to Query An OCSP Server For Revoked Certificates
Use this procedure if your CA directs you to query an OCSP server for revoked certificates.
Follow these steps:
- On theConfiguration,Security,Certificatespage, select theCRL Optionstab.
- ForType, selectUse OCSP.
- All other options are disabled. The appliance automatically contacts the OCSP server regarding the specific certificate when it is used.
View CRL Information
To view configured Certificate Revocation List (CRL) files and their associated status, select the View CRL Information
Certificate Revocation List
tab on the Configuration
, Security
, Certificates
page.
This option only appears if smartcard authentication is enabled for use with CRLs.
When populated with CRLs, the
Certificate Revocation List
tab displays the following fields for each certificate:- Issuer
- Next Update(or note when it Expired)
- StatusS = Stable, P = Processing, D = Downloading, I = Initial, F = Fail
- File Name(if applicable)
- Distribution Point(optional)
- Fail ReasonIf a CRL failure produces an error message, it is shown here.For example:There is an invalid CRL file:filename