Policy Server Guides › Policy Server Administration Guide › Certificate Data Store Management › Certificate Revocation List Updates

Certificate Revocation List Updates

CA SiteMinder® provides features that require certificate validation for certificates in the certificate data store. In 12.51, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages. The certificate data store can implement validity checking using certificate revocation lists (CRLs).

The certificate data store references the location of CRLs. By default CA SiteMinder® does not check for CRL updates. Enable the CRL updater (CRLUpdater) to check for updates.

Consider the following information:

• CA SiteMinder® uses the NextUpdate date of each CRL to determine when to reference the stored location and when to reload the CRL. CA SiteMinder® also uses the date to determine whether to invalidate any certificates.
• By default, CA SiteMinder® checks for updates once an hour. You can increase the default frequency.
• Enabling CRL updates is a local Policy Server administration setting. Only enable CRL updates for one Policy Server in the environment.
• If a CRL fails to load, all certificates are marked revoked until the CRL successfully loads.

Follow these steps:

1. Log in to a Policy Server host system.
2. Start the XPSConfig utility.
3. Type CDS and press Enter.
4. Type the number for EnableCRLUpdater and press Enter.
5. Type C and press Enter.
6. Type yes and press Enter.
7. Type Q.
8. Complete one of the following steps
   • To change the frequency at which CA SiteMinder® checks for updates:
     1. Type the number for DefaultCRLUpdaterSleepPeriod and press Enter.
     2. Type C and press Enter.
     3. Enter a new value and press Enter.
     4. Quit the utility.
   • To leave the default frequency, quit the utility.
9. Restart the Policy Server.

   CRL list updates are scheduled.

Change the Default CRL Update Period

The update period is the frequency that the certificate data store reloads a CRL. If a stored CRL file does not contain a NextUpdate value, configure the update period. The data store looks for the updated CRL in the location you specified when you added the CRL file to the CA SiteMinder® configuration.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Infrastructure, X509 Certificate Management, Certificate Management.
3. Enter a new value for the update period. The default is one day.
4. Click Save.

The new value is the amount of time that passes between updates.