Federation Manager Guide › Key and Certificate Management to Secure Federation Messages › How to Verify that Certificates are Valid Using CRLs › Manage Certificate Cache Refresh and Grace Period

Manage Certificate Cache Refresh and Grace Period

You can complete two other tasks to manage certificate validity checking (CRL or OCSP):

• Modify the certificate cache refresh to improve performance

  The certificate cache refresh period indicates how often the certificate data store updates the certificate data in the policy store. Certificate data is cached in memory to improve SiteMinder performance. Refresh the information in memory so that the data is current.

• Modify the default revocation grace period

  The default revocation grace period is the delay from when a certificate is revoked and the time the certificate becomes invalid. During the grace period, the system can use a revoked certificate before it becomes invalid. After the certificate becomes invalid, it is no longer active and Federation Manager cannot use it.

  If you do not specify a value for the CRL or OCSP responder grace period when adding these components, Federation Manager uses the default grace period. The individual grace period settings for a CRL or OCSP take precedence over this default grace period value.

Follow these steps:

1. Log in to the Federation Manager UI.
2. Select the Certs and Keys tab.
3. Select CDS Settings.

   The Certificate Settings dialog displays.

4. You can modify the following settings:
   • Certificate Cache Refresh Period
   • Revocation Grace Period
   • LDAP Access Timeout

   Note: Click Help for a description of fields, controls, and their respective requirements.

5. Click Save.