Certificate Validity Checking for X.509 Client Certificate Authentication

Policy Server Guides › Policy Server Configuration Guide › Certificate Mapping and Validity Checking for X.509 Certificates › Certificate Validity Checking for X.509 Client Certificate Authentication

Certificate Validity Checking for X.509 Client Certificate Authentication

Certificate validity checking is an optional feature for X.509 client certificate authentication.

The Policy Server can confirm whether a user certificate is valid using the following methods:

Certificate Revocation List (CRL) checking
The Policy Server can use CRLs to determine whether a certificate is revoked. In the Administrative UI, you can specify a path to a CRL directory or you can select CRL Distribution Points (CDPs) to locate CRLs.
Online Certificate Status Protocol (OCSP) checking
The Policy Server sends a request to an OCSP responder regarding a single user. The OCSP responder determines the revocation status of the user certificate and sends back the response.

The Policy Server determines which certificate validation method it uses as follows:

If you configure only CRL checking, the Policy Server uses CRLs.
If you configure only OCSP, the Policy Server uses OCSP.
If you configure CRL checking and OCSP with failover enabled, the Policy Server uses the designated primary validation method first (CRL or OCSP). If the primary validation method fails, the secondary method is used. For the next request, the Policy Server reverts to the primary method.

The Policy Server regards the first good or revoked response that it obtains to be definitive. The Policy Server does not request subsequent CRLs or OCSP responses after the first valid response. In addition, the Policy Server does not aggregate the results of CRL and OCSP validation to determine the comprehensive status of the user certificate.

More information:

Failover Between OCSP and CRLs