Edit a Revocation Checking Policy
A revocation checking policy defines the strategies used by the gateway to determine whether a certificate has been revoked. A policy can check the certificate's revocation status by using any combination of the following strategies:
gateway90
A revocation checking policy defines the strategies used by the
CA API Gateway
to determine whether a certificate has been revoked. A policy can check the certificate's revocation status by using any combination of the following strategies:- Consulting a Certificate Revocation List (CRL) at a URL extracted from the certificate.
- Consulting a CRL at a fixed URL.
- Using Online Certificate Status Protocol (OCSP), using a URL extracted from the certificate.
- Using OCSP against an OCSP responder at a fixed URL.
You can create any number of revocation checking policies. You can link a specific revocation checking policy to a certificate.
T
o add or edit a revocation checking policy
:- Run the Manage Certificates task.
- ClickCertificate Validation.
- In the Manage Certificate Validation dialog, do one of the following:
- Click [Add] to create a new revocation checking policy, or
- Select an existing revocation checking policy and click [Properties] to modify it. The Certificate Revocation Checking Properties appear.
- Configure the dialog as follows:SettingDescriptionNameEnter a name that describes the revocation checking policy.It is not necessary to include the word "default" in the name if you are creating a default policy. Setting theUse as default revocation checking policyoption does this for you.PolicyConstruct the policy using the following controls. You must add at least one step.
- To add a new step to the policy, click [Add] and then complete the Edit a Revocation Checking Policy dialog.
- To remove a step from the list, select it and then click [Remove].
- To edit a step, select it and then click [Properties].
- To change the order of the steps, select a step and click either [Move Up] or [Move Down].The Gateway traverses each step in the order listed until it receives an authoritative response.
Continue processing if server is unavailableThis option lets you control how the Gateway responds if the CRL or OCSP responder is not available.- Select this check box to check the cache for the CRL or OCSP response.
- If a cached value is found, that value is used.
- If a cached value is not found, then the certificate is permitted only if theSucceed if revocation status unknownoption is selected, otherwise it is revoked.
- Clear the check box to always revoke a certificate if the server is unavailable.
Succeed if revocation status unknownThis option determines what happens if all the steps in the policy are exhausted and the status is still undetermined:- Select this check box to permit use of the certificate even if its revocation status could not be determined.
- Clear this check box to prevent use of the certificate if its revocation status could not be determined.A certificate's revocation status is undetermined if the CRL does not cover the certificate in question, or if the OCSP responder is not authoritative for the certificate. A certificate's revocation status is also undetermined if the policy is configured to use the URL in a certificate but the certificate has no URL, or if the URL does not match the configured pattern.
Use as default revocation checking policyThis option designates a policy as the default revocation checking policy. This default policy is used for all certificates except for trusted certificates that specify a policy disable policy checking.- Select this check box to make the current policy the default. The Policy Manager add "[Default]" to the name of the policy.
- Clear the check box to remove the default status from the current policy.IMPORTANT:If you do not designate another policy as the default, then all certificates that rely on the 'Default' policy always fails the revocation check.
Security ZoneOptionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone."For more information about security zones, see Understanding Security Zones.This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones). - Click [OK] when done.