Certificate Validation/Revocation Checking
The gateway can validate certificates and can perform revocation checking (which is off by default). This is done using the dialog.
gateway83
The
CA API Gateway
can validate certificates and can perform revocation checking (which is off by default). This is done using the Manage Certificate Validation dialog.You can specify how the Gateway validates certificates that are used in these areas:
- Identity Providers
- Routing
- General purpose
You can also enable revocation checking, where the Gateway checks revocation against any source. To do this, you must create a specific revocation checking policy.
Contents:
Revocation Checking Policies
If you chose "Revocation Checking" as the validation method for any of the certificate types, you must create a revocation checking policy. You can create separate policies based on various criteria, for example:
- signing authority certificate
- URL from the certificate for CRL/OCSP based on URL RegEx matching
- Static URL manually entered for CRL/OCSP
Ensure that you import and trust all certificates for the destination LDAPS, HTTPS, and OCSP Signing Authority. This is necessary for revocation checking to work properly. Also, ensure that the appropriate firewall ports are opened for the protocol used.
Overriding the Certificate Validation Option
For Identity Providers, you can override the certificate validation options in these two places:
- LDAP Identity Providers:In step 6, "Certificate Settings" of the LDAP Identity Provider Wizard, you can override the validation option for a specific provider in theCertificate Validation Optionssetting.
- Federated Identity Providers:In step 3, "Certificate Validation" of the Federated Identity Provider Wizard, you can override the validation option for a specific provider in theCertificate Validation Optionssetting.
Override the validation option only if necessary. Once an override is applied, subsequent changes to the default validation no longer affect the overridden providers.