Identity Certificates Authentication, 33-6

Chapter 33 Configuring Certificates

Identity Certificates Authentication

To avoid having to retrieve the same CRL from a CA repeatedly, The security appliance can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the security appliance removes the least recently used CRL until more space becomes available.

–Enforce next CRL update—Require valid CRLs to have a Next Update value that has not expired. Clearing the box allows valid CRLs with no Next Update value or a Next Update value that has expired.

•OCSP Options

–Server URL:—Enter the URL for the OCSP server. The security appliance uses OCSP servers in the following order:

1.OCSP URL in a match certificate override rule

2.OCSP URL configured in this OCSP Options attribute

3.AIA field of remote user certificate

–Disable nonce extension—By default the OCSP request includes the nonce extension, which cryptographically binds requests with responses to avoid replay attacks. It works by matching the extension in the request to that in the response, ensuring that they are the same. Disable the nonce extension if the OCSP server you are using sends pre-generated responses that do not contain this matching nonce extension.

•Validation Policy

–Specify the type of client connections that can be validated by this CA—Click SSL or IPSec to restrict the type of remote session this CA can be used to validate, or click SSL and IPSec to let the CA validate both types of sessions.

•Other Options

–Accept certificates issued by this CA—Specify whether or not the security appliance should accept certificates from CA Name.

–Accept certificates issued by the subordinate CAs of this CA