CRL LDAP Validation

Contents

Overview

A CRL (Certificate Revocation List) is a signed list indicating a set of certificates that are no longer considered valid (revoked certificates) by the certificate issuer. The Enterprise Gateway can query a CRL to find out if a given certificate has been revoked. If the certificate is present in the CRL, it should not be trusted.

To validate a certificate using a CRL lookup, the certificate's issuing CA certificate should be trusted by the Enterprise Gateway. This is because for a CRL lookup, the CA public key is needed to verify the signature on the CRL. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the Enterprise Gateway's certificate store instead.

Configuration

The Name and URL of all currently configured LDAP directories are displayed in the table on the CRL Certificate Validation screen. The Enterprise Gateway checks the CRL of all selected LDAP directories to validate the client certificate. The filter fails as soon as the Enterprise Gateway determines that one of the CRLs has revoked the certificate.

To configure LDAP connection information, complete the following fields:

Name:
Enter an appropriate name for the filter.

LDAP Configuration:
To configure the Enterprise Gateway to check the CRL of a configured LDAP directory, select the checkbox next to the directory entry in the table on the main Certificate Validation - CRL screen.

You can add, edit, or delete LDAP Connections on the External Connections tab in Policy Studio. For example, right-click LDAP Connections, and select Add a LDAP Connection. For more information on configuring LDAP connections, see the LDAP Configuration topic.