CA API Gateway 9.1

9.4 9.1

Edit a Revocation Checking Policy

A revocation checking policy defines the strategies used by the to determine whether a certificate has been revoked. A policy can contain any combination of the following strategies:
gateway83
A revocation checking policy defines the strategies used by the
API Gateway
 to determine whether a certificate has been revoked. A policy can contain any combination of the following strategies:
  • Check the certificate's revocation status by consulting a Certificate Revocation List (CRL) at a URL extracted from the certificate.
  • Check the certificate's revocation status by consulting a CRL at a fixed URL.
  • Check the certificate's revocation status by using Online Certificate Status Protocol (OCSP), using a URL extracted from the certificate.
  • Check the certificate's revocation status by using OCSP against an OCSP responder at a fixed URL.
You can create any number of revocation checking policies using the Manage Certificate Validation dialog. The appropriate policy is then associated with a certificate via the certificate's properties. 
 
T
o add or edit a revocation checking policy
:
  1. Open the Manage Certificate Validation dialog.
  2. Do one of the following:
    • Click [
      Add
      ] to create a new policy, or
    • Select an existing revocation checking policy and click [
      Properties
      ] to modify it.
      The Edit Revocation Checking Policy dialog appears.
  3.  Configure the dialog as follows:
    Setting
    Description
    Name
    Enter a name that describes the revocation checking policy.
    It is not necessary to include the word "default" in the name if you are creating a default policy. Setting the Use as default revocation checking policy check box will do this for you.
    Policy
    Construct the policy using the following controls. At least one step must be created.
    • To add a new step to the policy, click [
      Add
      ] and then enter the details in the Edit Certificate Revocation Checking Properties dialog.
    • To remove a step from the list, select it and then click [
      Remove
      ].
    • To edit a step, select it and then click [
      Properties
      ]. Edit the details in the Edit Certificate Revocation Checking Properties dialog.
    • To change the order of the steps, select a step and click either [
      Move Up
      ] or [
      Move Down
      ].
      The
      API Gateway
       will go through each step in the order shown until an authoritative response is obtained.
    Continue processing if server is unavailable
    This check box lets you control how the
    API Gateway
     should respond if the CRL or OCSP responder is not available.
    • Select this check box to check the cache for the CRL or OCSP response.
    • If a cached value is found, that value is used.
    • If a cached value is not found, then the certificate is permitted only if the Succeed if revocation status unknown check box is selected, otherwise it is revoked.
    • Clear the check box to always revoke a certificate if the server is unavailable.
    Succeed if revocation status unknown
    This check box determines what will happen if all the steps in the policy are exhausted and the status is still undetermined:
    • Select this check box to permit use of the certificate even if its revocation status could not be determined.
    • Clear this check box to prevent use of the certificate if its revocation status could not be determined.
      A certificate's revocation status is undetermined if the CRL does not cover the certificate in question, or if the OCSP responder is not authoritative for the certificate. A certificate's revocation status is also undetermined if the policy is configured to use the URL in a certificate but the certificate has no URL, or if the URL does not match the configured pattern.
    Use as default revocation checking policy
    This check box is used to designate a policy as the default revocation checking policy. This default policy is used for all certificates except for trusted certificates that specify a policy disable policy checking. Policies designated as the default will have "[Default]" appended to the policy name.
    • Select this check box to make the current policy the default.
    • Clear the check box to remove the default status from the current policy. 
      If you do not designate another policy as the default, then all certificates that rely on the 'Default' policy will always fail the revocation check.
    Security Zone
    Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone."
    For more information about security zones, see Understand Security Zones.
    This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).
  4. Click [
    OK
    ] when done.

Content feedback and comments