Certificate Validation

On the Certificate Validation page, you can configure certification authorities (CA) that are trusted in user authentication.

Figure 4.13. SSH Tectia Server Configuration - Certificate Validation page

Generic Settings

Generic settings apply to all CA certificates and CRL fetching.

HTTP proxy URL

Define a HTTP proxy URL if one is required for making LDAP or OCSP queries for certificate validity.

The format of the URL is as follows:

http://username@proxy_server:port/network/netmask,network/netmask ...

The HTTP proxy address is given first and after it the networks that are connected directly (without the proxy).

SOCKS server URL

Define a SOCKS server URL if one is required for making LDAP or OCSP queries for certificate validity.

The format of the URL is as follows:

socks://username@socks_server:port/network/netmask,network/netmask ...

The SOCKS server address is given first and after it the networks that are connected directly (without the SOCKS server).

Certificate cache file

Select the check box to enable certificate caching.

Click the Browse button to select the cache file where the certificates and CRLs are stored when the SSH Tectia Server service is stopped, and read back in when the service is restarted. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly into the text field.

CRL auto update

Select the check box to enable automatic updating of certificate revocation lists.

When auto update is on, SSH Tectia Server periodically tries to download the new CRL before the old one has expired. The Update before field specifies how many seconds before the expiration the update takes place. The Minimum interval field sets a limit for the maximum update frequency. The default minimum interval is 30 seconds.

Enable DoD PKI

Select this check box if the certificates are required to be compliant with the DoD PKI (US Department of Defense Public-Key Infrastructure).

LDAP Servers

On the LDAP Servers tab, you can define LDAP servers that are used for fetching certificate revocation lists (CRLs) and/or subordinate CA certificates based on the issuer name of the certificate being validated.

If a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from that address.

To add an LDAP server, click Add. The LDAP Server dialog box opens. Enter the Address and Port of the server and click OK. The default port is 389.

To edit an LDAP server, select the server from the list and click Edit.

To delete an LDAP server, select the server from the list and click Delete.

OCSP Responders

On the OCSP Responders tab, you can define OCSP responder servers that are used for Online Certificate Status Protocol queries.

For the OCSP validation to succeed, both the end-entity certificate and the OCSP responder certificate must be issued by the same CA. If the certificate has an Authority Info Access extension with an OCSP Responder URL, it is only used if there are no configured OCSP responders. It is not used if any OCSP responders have been configured.

To add an OCSP responder, click Add. The OCSP Responder dialog box opens. Enter the URL of the server. Optionally, you can also enter a Validity period in seconds for the OCSP data. During this time, new OCSP queries for the same certificate are not made but the old result is used. Click OK when finished.

If an OCSP responder is defined in the configuration file or in the certificate, it is tried first; only if it fails, traditional CRL checking is tried, and if that fails, the certificate validation returns a failure.

To edit an OCSP responder, select the responder from the list and click Edit.

To delete an OCSP responder, select the responder from the list and click Delete.

CRL Prefetch

On the CRL Prefetch tab, you can define addresses from which CRLs are periodically downloaded.

To add a CRL prefetch address, click Add. The CRL Prefetch dialog box opens. Enter the Interval how often the CRL is downloaded and the URL of the CRL distribution point and click OK. The default download interval is 3600 (seconds).

The URL can be either a standard format LDAP or HTTP URL, or it can refer to a file. The file format must be either binary DER or base64, PEM is not supported. Enter the file URL in this format:

file:///absolute/path/name

To edit a CRL prefetch address, select the address from the list and click Edit.

To delete a CRL prefetch address, select the address from the list and click Delete.

CA Certificates

On the CA Certificates tab, you can define the CA certificates that are trusted for user authentication.

To add a CA certificate as trusted:

Click Add. The CA Certificate dialog box opens.
Figure 4.14. Editing CA certificate settings
Enter the Name of the CA. The CA Name can be referred to in the selectors on the Authentication page. See Authentication.
Click the Browse button on the right-hand side of the text field to locate a CA certificate file. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and filename directly in the text field.
Click the View button to display the currently selected CA certificate.
You can optionally select the Disable CRLs check box to stop using the certificate revocation list. This option should be used for testing purposes only!
Under Use expired CRLs, you can specify in seconds how long expired CRLs are used.
Click OK when finished.

To edit a CA, select the CA from the list and click Edit.

To remove a CA from the trusted CAs, select the CA from the list and click Delete.