On the Certificate Validation page, you can configure certification authorities (CA) that are trusted in user authentication.
Generic settings apply to all CA certificates and CRL fetching.
Define a HTTP proxy URL if one is required for making LDAP or OCSP queries for certificate validity.
The format of the URL is as follows:
http://username@proxy_server:port/network/netmask,network/netmask ...
The HTTP proxy address is given first and after it the networks that are connected directly (without the proxy).
Define a SOCKS server URL if one is required for making LDAP or OCSP queries for certificate validity.
The format of the URL is as follows:
socks://username@socks_server:port/network/netmask,network/netmask ...
The SOCKS server address is given first and after it the networks that are connected directly (without the SOCKS server).
Select the check box to enable certificate caching.
Click the Browse button to select the cache file where the certificates and CRLs are stored when the Tectia Server service is stopped, and read back in when the service is restarted. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly into the text field.
Select the check box to enable automatic updating of certificate revocation lists.
When auto update is on, Tectia Server periodically tries to download the new CRL
before the old one has expired. The Update before field
specifies how many seconds before the expiration the update takes place. The
Minimum interval field sets a limit for the maximum update
frequency. The default minimum interval is 30
seconds.
One of the compliance requirements of the US Department of Defense Public-Key Infrastructure (DoD PKI) is to have the Digital Signature bit set in the Key Usage of the certificate. To fulfill the compliance requirement by enforcing digital signature in key usage, select this check box.
On the LDAP Servers tab, you can define LDAP servers that are used for fetching certificate revocation lists (CRLs) and/or subordinate CA certificates based on the issuer name of the certificate being validated.
If a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from that address.
To add an LDAP server, click Add. The LDAP
Server dialog box opens. Enter the Address and
Port of the server and click OK. The default
port is 389
.
To edit an LDAP server, select the server from the list and click Edit.
To delete an LDAP server, select the server from the list and click Delete.
On the OCSP Responders tab, you can define OCSP responder servers that are used for Online Certificate Status Protocol queries.
For the OCSP validation to succeed, both the end-entity certificate and the OCSP responder certificate must be issued by the same CA unless the optional Responder certificate is configured to enable trusted mode OCSP. For more information, see ocsp-responder .
If the certificate has an
Authority Info Access
extension with an OCSP Responder URL, it is only
used if there are no configured OCSP responders. It is not used if any OCSP responders
have been configured.
To add an OCSP responder, click Add. The OCSP Responder dialog box opens. Enter the HTTP URL of the server. Optionally, you can also configure a Responder certificate to enable trusted mode OSCP or a Validity period in seconds for the OCSP data. During this time, new OCSP queries for the same certificate are not made but the old result is used. Click OK when finished.
If an OCSP responder is defined in the configuration file or in the certificate, it is tried first; only if it fails, traditional CRL checking is tried, and if that fails, the certificate validation returns a failure.
To edit an OCSP responder, select the responder from the list and click Edit.
To delete an OCSP responder, select the responder from the list and click Delete.
On the CRL Prefetch tab, you can define addresses from which CRLs are periodically downloaded.
To add a CRL prefetch address, click Add. The CRL
Prefetch dialog box opens. Enter the Interval how often
the CRL is downloaded and the URL of the CRL distribution point and
click OK. The default download interval is 3600
(seconds).
The URL can be either a standard format LDAP or HTTP URL, or it can refer to a file. The file format must be either binary DER or base64, PEM is not supported. Enter the file URL in this format:
file:///absolute/path/name
To edit a CRL prefetch address, select the address from the list and click Edit.
To delete a CRL prefetch address, select the address from the list and click Delete.
On the CA Certificates tab, you can define the CA certificates that are trusted for user authentication, as well as intermediate CA certificates.
To add a CA certificate:
Click Add. The CA Certificate dialog box opens.
Enter the Name of the CA. The CA Name can be referred to in the selectors on the Authentication page. See Authentication.
Click the Browse button on the right-hand side of the text field to locate a CA certificate file. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly in the text field.
Click the View button to display the currently selected CA certificate.
If the Trusted CA check box is selected (it is by default), the CA certificate is set as a trust anchor and it is trusted explicitly. No revocation checks are performed on the CA certificate (only the validity period will be checked), and it will be the end point of the validation path, meaning that no CA above it in the PKI hierarchy will affect the validation.
If the Trusted CA check box is cleared, the CA will be considered an intermediate CA. At least one trusted CA certificate is required for a working PKI setting.
You can optionally select the Disable CRLs check box to stop using the certificate revocation list. This option should be used for testing purposes only!
Under Use expired CRLs, you can specify in seconds how long expired CRLs are used.
Click OK when finished.
To edit a CA, select the CA from the CA Certificates list and click Edit.
To remove a CA from the CA Certificates list, select the CA and click Delete.
On the OpenSSH CA Keys tab, you can define the OpenSSH CA keys that are trusted for user authentication.
To add an OpenSSH CA key, click the Add button, and provide a name for the list entry, and the key file.
To edit an OpenSSH CA key entry, select an entry from the list, and click the Edit button.
To delete an OpenSSH CA key entry, select an entry from the list, and click the Delete button.