CA API Gateway 9.1

9.4 9.1

Certificate Revocation Checking Properties

The Certificate Revocation Checking Properties dialog is used to define the individual steps in the revocation checking policy. A revocation checking policy describes how the determines whether a certificate is revoked. These policies are maintained using the Manage Certificate Validation. Define the following for each step:
gateway90
The Certificate Revocation Checking Properties dialog is used to define the individual steps in the revocation checking policy. A revocation checking policy describes how the
API Gateway
 determines whether a certificate is revoked. These policies are maintained using the Manage Certificate Validation. 
Define the following for each step:
  • Select the revocation checking method to be used (either CRL or OCSP)
  • Specify the URL or URI to use during checking (either a fixed URL or a variable URL parsed using a regex expression)
  • Indicate which certificates are permitted to sign the CRL or OCSP response
To edit the certificate revocation checking properties:
  1. Open the Edit Revocation Checking Policy dialog.
  2. Do one of the following:
    • Click [
      Add
      ] to add a new step to the policy, or
    • Select an existing step and click [
      Properties
      ] to modify it. The Edit Certificate Revocation Checking Properties dialog appears.
  3. Configure the properties as follows:
Setting
Description
Type
From the drop-down list, select how the certificate revocation status should be determined:
  • CRL from certificate URL
    : Use the Certificate Revocation List (CRL) located at a URL that is extracted from the certificate. Use the URL Regex field to restrict the URL to a particular type or host.
  • CRL from URL
    : Use the CRL located in the URL field.
  • OCSP from certificate URL
    : Use the Online Certificate Status Protocol (OCSP) responder located at a URL that is extracted from the certificate. Use the URL Regex field to restrict the URL (perhaps to a particular host).
  • OCSP from URL
    : Use the OCSP responder located at the URL.
URL
If the
CRL from URL
 or
OCSP from URL
 option was selected, enter the URL.
If HTTP options are defined for this URL, they apply here. For more information, see Manage HTTP Options.
URL Regex
If the
CRL from certificate URL
 or
OCSP from certificate URL
 option was selected, enter a regular expression that restricts the URL. The default URL Regex “
.*
” accepts all URLs.
Signer
In this section, define the certificates that are permitted to sign the CRL or OCSP response:
  • Allow issuer signature
    : Select this check box if you are permitting the entity that issued the certificate. If you do not wish to give blanket permission this way, leave this check box unselected and manually add the permitted certificates to the table below. 
In the table, optionally define a list of permitted certificates. You can use this table regardless of the
Allow issuer signature
 check box. For example:
  • You elect not to automatically allow all issuer's signatures. Define the permitted certificates in the table.
  • You wish to permit certificates where the signing entity differs from the issuing entity. In this case, you will select both the
    Allow issuer signature
     check box
    and
     define a list of permitted certificates. 
Define the list of permitted certificates by using the following controls:
  • To add a certificate, click [
    Add]
     and then use the Search Trusted Certificates dialog to locate the certificate. If you cannot find the certificate you want, use the [
    Create
    ] option to add it.
  • To remove a certificate from the list, select it and then click [
    Remove
    ].
  • To view details about a certificate, select it and then click [
    Properties
    ]. The certificate properties are displayed. For more information, see Edit a Certificate.
  • To add a new certificate to the trust store, click [
    Create
    ] and then complete the wizard. For more information, see Add Certificate Wizard.

Content feedback and comments