Previous Topic: Certificate Data Store ManagementNext Topic: OCSP Updates


Certificate Revocation List Updates

CA SiteMinder® provides features that require certificate validation for certificates in the certificate data store. In 12.52 SP1, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages. The certificate data store can implement validity checking using certificate revocation lists (CRLs).

The certificate data store references the location of CRLs. By default CA SiteMinder® does not check for CRL updates. Enable the CRL updater (CRLUpdater) to check for updates.

Consider the following information:

Follow these steps:

  1. Log in to a Policy Server host system.
  2. Start the XPSConfig utility.
  3. Type CDS and press Enter.
  4. Type the number for EnableCRLUpdater and press Enter.
  5. Type C and press Enter.
  6. Type yes and press Enter.
  7. Type Q.
  8. Complete one of the following steps
  9. Restart the Policy Server.

    CRL list updates are scheduled.

Change the Default CRL Update Period

The update period is the frequency that the certificate data store reloads a CRL. If a stored CRL file does not contain a NextUpdate value, configure the update period. The data store looks for the updated CRL in the location you specified when you added the CRL file to the CA SiteMinder® configuration.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, X509 Certificate Management, CDS Settings.
  3. Enter a new value for the update period. The default is one day.
  4. Click Save.

The new value is the amount of time that passes between updates.