Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › Certificate Mapping for X.509 Client Authentication Schemes › Confirm the Validity of Certificates › Configure Certificate Revocation List Checking

Configure Certificate Revocation List Checking

Configure CRL checking to verify whether a user certificate has been revoked. This verification helps ensure that a user with an invalid client certificate cannot access a protected resource.

You can obtain a CRL from an LDAP directory or from a location specified by a CDP. If the Policy Server is going to obtain CRLs from a specific LDAP directory, be sure to configure a connection to that directory in the User Directory section of the Administrative UI. This LDAP directory can act as a user store and a CRL store. Configure the directory before configuring CRL checking or during the CRL configuration process.

To configure CRL checking

1. Log on to the Administrative UI.
2. Select Infrastructure, Directory.
3. Expand the Certificate Mapping option.
4. Select Create or Modify a Certificate Mapping.

   The Certificate Mapping dialog opens.

5. Select Perform CRL Checks in the Certificate Revocation List Checking group box.

   CRL-specific fields and controls display.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

6. In the CRL Directory field, select the name of the LDAP directory from where the Policy Server obtains the CRL. The directory name is the name you assigned when configuring the directory in the User Directory section of the Administrative UI. If there is no user directory in the list, click Create to add a directory connection.

   If you do not specify an LDAP directory in the CRL Directory field, select Use Distribution Points as the method by which the Policy Server retrieves a CRL.

   Note: An optional text string value for the CRL Directory field exists and it reads "Take from Certificate Extension." Only select this option if you plan to use distribution points for CRL retrieval.

7. If you specified a user directory in the CRL Directory field, enter a value for the entry point DN in CRL Directory field.

   The entry in this field is the DN where the Policy Server looks in the CRL directory to locate the CRL. This field is valid only when the CRL Directory field is set to an LDAP directory. If you enable distribution points to locate CRLs, leave this field blank.

8. (Optional) Select Verify signature to verify the signature of the CRL.

   The Policy Server requires an accessible LDAP host to retrieve the certificate necessary to verify the signature of the CRL. Be sure that you have configured an LDAP host as a user directory connection in the Administrative UI.

   Note the following:

   • You can configure the Policy Server to use CRL distribution points to locate a CRL. If the distribution point is an LDAP URI or an HTTP URI, the Policy Server can verify the CRL signature against an LDAP host configured as a user directory connection in the Administrative UI. Specify this LDAP host in the CRL Directory field.
   • If you select the entry Take from Certificate Extension for the CRL Directory field and the distribution point is an HTTP URI, do not select the Verify Signature option because the signature cannot be verified and the authentication fails.
9. (Optional) Select Use Distribution Points to use the CDP extension to locate CRLs. You can use this option as an alternative to specifying a CRL directory.

   If you select Use Distribution Points and enter a directory in the CRL Directory field, the Policy Server uses only the distribution points to locate the CRL. Distribution points take precedence over the CRL directory and the CRL Directory entry becomes irrelevant.

10. Complete the remaining settings, as necessary, and click Submit.

Certificate revocation list checking is enabled.