Certificate Validation for X.509 Client Certificate Authentication

Certificate validation is an optional feature for X.509 client certificate authentication.
Certificate validation is an optional feature for X.509 client certificate authentication.
The Policy Server can confirm whether a user certificate is valid using the following methods:
  • Certificate Revocation List (CRL) checking
    The Policy Server can use CRLs to determine whether a certificate is revoked. In the Administrative UI, you can specify a path to a CRL directory or you can select CRL Distribution Points (CDPs) to locate CRLs. The X.509 authentication schemes use an independent LDAP directory to store CRLs. 
  • Online Certificate Status Protocol (OCSP) checking
    The Policy Server sends a request to an OCSP responder regarding a single user. The OCSP responder determines the revocation status of the user certificate and sends back the response.
The X.509 authentication schemes do not use the certificate data store (CDS) for certificate validation. In the Administrative UI, ignore the X509 Certificate Management option in the Infrastructure section. The UI option configures only the CDS. Managing certificate revocation using the UI is described in Key and Certificate Management.
The Policy Server determines which certificate validation method it uses as follows:
  • If you configure only CRL checking, the Policy Server uses CRLs.
  • If you configure only OCSP, the Policy Server uses OCSP.
  • If you configure CRL checking and OCSP with failover enabled, the Policy Server uses the designated primary validation method first (CRL or OCSP). If the primary validation method fails, the secondary method is used. For the next request, the Policy Server reverts to the primary method.
The Policy Server regards the first
revoked response that it obtains
to be definitive. The Policy Server does not request subsequent CRLs or OCSP responses after the first valid response. In addition, the Policy Server does not aggregate the results of CRL and OCSP validation to determine the comprehensive status of the user certificate.
Prerequisites for Implementing Validity Checking
To validate a user certificate, configure an X.509 client certificate authentication scheme to authenticate a user when they request a protected resource.
Review the instructions for setting up an X.509 client certificate authentication scheme.
The instructions for configuring CRLs and OCSP are described in the sections that follow.