On the Certificate Validation page, you can configure certification authorities (CA) that are trusted in user authentication.
Generic settings apply to all CA certificates and CRL fetching.
Define a HTTP proxy URL if one is required for making LDAP or OCSP queries for certificate validity.
The format of the URL is the following:
http://username@proxy_server:port/network/netmask,network/netmask ...
The HTTP proxy address is given first and after it the networks that are connected directly (without the proxy).
Define a SOCKS server URL if one is required for making LDAP or OCSP queries for certificate validity.
The format of the URL is the following:
socks://username@socks_server:port/network/netmask,network/netmask ...
The SOCKS server address is given first and after it the networks that are connected directly (without the SOCKS server).
Select the check box to enable certificate caching.
Click the ellipsis (...) button to select the cache file where the certificates and CRLs are stored when the SSH Tectia Server service is stopped, and read back in when the service is restarted. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly into the text field.
Select the check box to enable automatic updating of certificate revocation lists.
When auto update is on, SSH Tectia Server periodically tries to download
the new CRL before the old one has expired. The Update
before field specifies how many seconds before the
expiration the update takes place. The Minimum
interval field sets a limit for the maximum update
frequency. The default minimum interval is 30
seconds.
Select this check box if the certificates are required to be compliant with the DoD PKI (US Department of Defense Public-Key Infrastructure).
On the LDAP Servers tab, you can define LDAP servers that are used for fetching certificate revocation lists (CRLs) and/or subordinate CA certificates based on the issuer name of the certificate being validated.
If a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from that address.
To add an LDAP server, click Add. The
LDAP Server dialog box opens. Enter the
Address and Port of the server
and click OK. The default port is
389
.
To edit an LDAP server, select the server from the list and click Edit.
To delete an LDAP server, select the server from the list and click Delete.
On the OCSP Responders tab, you can define OCSP responder servers that are used for Online Certificate Status Protocol queries.
For the OCSP validation to succeed, both the end-entity
certificate and the OCSP responder certificate must be issued by the
same CA. If the certificate has an Authority Info
Access
extension with an OCSP Responder URL, it is only used
if there are no configured OCSP responders. It is not used if any
OCSP responders have been configured.
To add an OCSP responder, click Add. The OCSP Responder dialog box opens. Enter the URL of the server. Optionally, you can also enter a Validity period in seconds for the OCSP data. During this time, new OCSP queries for the same certificate are not made but the old result is used. Click OK when finished.
If an OCSP responder is defined in the configuration file or in the certificate, it is tried first; only if it fails, traditional CRL checking is tried, and if that fails, the certificate validation returns a failure.
To edit an OCSP responder, select the responder from the list and click Edit.
To delete an OCSP responder, select the responder from the list and click Delete.
On the CRL Prefetch tab, you can define addresses from which CRLs are periodically downloaded.
To add a CRL prefetch address, click Add. The
CRL Prefetch dialog box opens. Enter the
URL of the CRL distribution point and the
Interval how often the CRL is downloaded and click
OK. The URL can be either an LDAP or HTTP URL. The
default interval is 3600
(seconds).
To edit a CRL prefetch address, select the address from the list and click Edit.
To delete a CRL prefetch address, select the address from the list and click Delete.
On the CA Certificates tab, you can define the CA certificates that are trusted for user authentication.
To add a CA certificate as trusted:
Click Add. The CA Certificate dialog box opens.
Enter the Name of the CA. The CA Name can be referred to in the selectors on the Authentication page. See Authentication.
Click the ellipsis (...) button on the right-hand side of the text field to locate a CA certificate file. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and filename directly in the text field.
Click the View button to display the currently selected CA certificate.
You can optionally select the Disable CRLs check box to stop using the certificate revocation list. This option should be used for testing purposes only!
Under Use expired CRLs, you can specify in seconds how long expired CRLs are used.
Click OK when finished.
To edit a CA, select the CA from the list and click Edit.
To remove a CA from the trusted CAs, select the CA from the list and click Delete.