CA API Gateway 9.1

9.4 9.1

Certificate Validation Cluster Properties

The following cluster properties configure the settings used in the Manage Certificate Validations task and for expiration checking.
gateway92
The following cluster properties configure the settings used in the Manage Certificate Validations task and for expiration checking.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
pkix.crl.cacheExpiryAge
Expiration time for LDAP and HTTP caches used by Certificate Revocation Lists (CRL) . Value is a time unit.
Default:
5m
 
pkix.crl.defaultExpiryAge
Expiration time for Certificate Revocation Lists (CRL) if the CRL does not have one. The expiry age refreshes the list. Value is a time unit.
Default:
1h
pkix.crl.maxExpiryAge
Maximum expiration time for a Certificate Revocation List (CRL). This value is used if the CRL's expiry age is greater than what is defined by this cluster property. Value is a time unit.
Default:
7d
  
pkix.crl.maxSize
Maximum size for a Certificate Revocation List (CRL). A value of zero indicates unlimited size.
Default:
1048576
pkix.crl.minExpiryAge
Minimum expiration time for a CRL. This value is used if the CRL's expiration is less than what is defined by this cluster property. Value is a time unit.
Default:
1h 
 
If the minimum expiration time is used, the
API Gateway
 may be using a stale CRL.
pkix.crl.invalidateCrlCacheOnNextUpdate
Invalidates the Certificate Revocation List on next update time that is embedded in the CRL. Value is a Boolean.
Default:
false
pkix.csr.defaultExpiryAge
Certificate expiration time on the CSR server. Used for internal users without a configured expiry time, or for certificates issued for LDAP users.
Default:
730
(days)
pkix.keyUsage
Controls X.509 key usage. Values are:
  • IGNORE
    : Accepts and uses certificates for purposes other than for what they were designated to be used.
  • ENFORCE
    : Uses certificates only for their stated purposes, as described in the "Key usage" and "Ext. key usage" sections in the [
    Details
    ] tab of a certificate's properties. For details, see "Certificate Expiration Notification" in Manage Certificates. If a certificate does not contain key usage or extended key usage information marked as critical, the certificate is treated as if all possible usages are enabled (the same as the 'IGNORE' setting).
Default:
ENFORCE
Requires a
API Gateway
 restart for changes to take effect.
pkix.keyUsagePolicy
Overrides the default key usage policy. A long XML string defining a key usage enforcement policy. For details, see "Recognized Action Names" in Key Usage Enforcement Policy.
Default: <empty> (system default policy is used)
pkix.ocsp.defaultExpiryAge
Cache time for Online Certificate Status Protocol (OCSP) responses. Specifies how long an OCSP response is retained for an individual certificate validation attempt before discarding it and retrieving a new one. Value is a time unit.
Default:
1m 
(used if the OCSP response does not include its own expiry age)
pkix.ocsp.maxExpiryAge
Maximum expiration for a cached OCSP response. Used if the OCSP response's expiration is greater than what is defined by this cluster property. Value is a time unit.
Default:
15m 
pkix.ocsp.minExpiryAge
Minimum expiration for a cached OCSP response. Used if the OCSP response's expiration is less than what is defined by this cluster property. Value is a time unit.
Default:
1s 
pkix.ocsp.useNonce
Controls whether to include a nonce in the OCSP requests to protect against replay attacks. Value is a Boolean.
Default:
true
Set this property to "false" if the OCSP checking server does not support Nonce. To verify that Nonce is supported, look for the "id-pkix-ocsp-nonce" field in the extensions section of the OCSP request and response.
pkix.permittedCriticalExtensions
Extensions for validating certificates. The value is a list of entity IDs, separated by spaces.
Default: <empty>
pkix.validation.identityProvider
Validation method for identity provider certificates. You can also set this property using Manage Certificate Validation.
  • validate
     = Validate that the certificate is valid and trusted.
  • validatepath
     = Validate that the certificate path is valid to a trust anchor.
  • revocation
     = Validate the certificate path and perform a revocation check using the revocation checking policies.
Default:
validate
pkix.validation.other
Validation method for all certificates except for identity provider and routing. You can also set this property using Manage Certificate Validation. See
pkix.validation.identityProvider
 for a description of each setting.
Default:
validate
pkix.validation.routing
Validation method for certificates used by the server for routing (i.e., HTTPS, FTPS). You can also set this property using Manage Certificate Validation. See
pkix.validation.identityProvider
 for a description of each setting.
Default:
validate
services.
certificateDiscoveryEnabled
Discovers the
API Gateway
 SSL certification without user intervention.
API Gateway
 - XML VPN Clients send requests to this Gateway. Value is a Boolean.
  • true
     = Automatic certificate discovery is enabled, without user intervention required.
  • false
     = Automatic certificate discovery is disabled. The following must be done:
    • XML VPN Client running as an application
      : When the
      API Gateway
       - XML VPN Client attempts to trust a server certificate for the first time, a confirmation dialog is displayed, and you must explicitly accept or reject the certificate.
    • XML VPN Client running as a service
      : Manually configure the server certificate for the XML VPN Client using one of the following methods:
      • If the server certificate is established, manually trust it using the "discover" Gateway command.
      • If the server certificate is not established, manually import it using the "import" Gateway command.
Default:
true
See also the related 
admin.certificateDiscoveryEnabled
cluster property.
Enable the "Policy download service" so the port for server certificate discovery works.
trustedCert.expiryCheckPeriod
Time to wait between successive trusted certificate expiry checks. Value is a time unit. For details, see "Certificate Expiration Notification" under Manage Certificates.
Default:
12h
trustedCert.expiryFineAge
Time before the Gateway logs a FINE audit event for a trusted certificate. Value is a time unit.
Default:
30d 
trustedCert.expiryInfoAge
Time before the Gateway logs an INFO audit event for a trusted certificate. Value is a time unit.
Default:
7d
 
trustedCert.expiryWarningAge
Time before the Gateway logs a WARNING audit event for a trusted certificate. Value is a time unit.
Default:
2d
 

Content feedback and comments