Certificate validity checking is an optional feature for X.509 client certificate authentication.
The Policy Server can confirm whether a user certificate is valid using the following methods:
The Policy Server can use CRLs to determine whether a certificate is revoked. In the Administrative UI, you can specify a path to a CRL directory or you can select CRL Distribution Points (CDPs) to locate CRLs.
The Policy Server sends a request to an OCSP responder regarding a single user. The OCSP responder determines the revocation status of the user certificate and sends back the response.
The Policy Server determines which certificate validation method it uses as follows:
The Policy Server regards the first good or revoked response that it obtains to be definitive. The Policy Server does not request subsequent CRLs or OCSP responses after the first valid response. In addition, the Policy Server does not aggregate the results of CRL and OCSP validation to determine the comprehensive status of the user certificate.
Copyright © 2014 CA.
All rights reserved.
|
|