Policy Server Guides › Policy Design Guide › Authentication Scheme and Related Dialogs Reference › Certificate Mapping Properties Dialog › Certificate Mapping Properties Dialog Fields and Controls › Certificate Revocation List (CRL) Checking Group Box

Certificate Revocation List (CRL) Checking Group Box

Perform CRL Checks check box

Select this check box to enable Certificate Revocation List (CRL) Checking.

CRL checking is an additional level of security that involves retrieving a CRL from an LDAP directory, verifying the CRL, and finally validating that the user’s certificate has not been revoked. If the Perform CRL Checks check box is marked, the Policy Server processes CRL checking.

CRL Directory

Names of the available user directories.

For CRL checking, an LDAP user directory connection must be defined using the User Directory Dialog. If the user directory connection has not been defined, click the Create button.

DN in CRL Directory

Distinguished Name (DN) of the CA if the DN is different from the DN you entered in the Issuer DN field.

It is possible to have a CA whose DN in the LDAP directory for CRL checking is different from the Issuer DN in the client certificate. In such a case, you must specify the DN of the CA for the LDAP CRL directory in this field.

Verify Signature check box

Select this check box to enable signature verification.

When you enable signature verification, the Policy Server checks the CA’s public certificate against a signature stored in the policy database.

Use Distribution Points check box

Select this check box if your CRL uses distribution points.

Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. The distribution point provides a starting point for a CRL check and saves the processing time that it would take to search the entire CRL for a particular user.

When this check box is marked, SiteMinder looks at a user’s certificate, and retrieves the distribution point from the certificate, then uses it to find the appropriate LDAP directory entry point for the CRL.

Cache check box

Select this check box to have SiteMinder to cache CRL entries.

When you mark this check box, SiteMinder checks the NextUpdate field in the CRL for the date when the cached CRL information should be deleted and replaced with updated CRL information. SiteMinder uses the cached CRL information until the date specified in the NextUpdate field of the CRL.

The NextUpdate field in the CRL is optional. If there is no value for NextUpdate, SiteMinder will not cache CRL information.

Create button

Open the User Directory Dialog.

More information:

User Directory Dialog