CRL LDAP Validation


A Certificate Revocation List (CRL) is a signed list indicating a set of certificates that are no longer considered valid (revoked certificates) by the certificate issuer. The API Gateway can query a CRL to find out if a given certificate has been revoked. If the certificate is present in the CRL, it should not be trusted.

To validate a certificate using a CRL lookup, the certificate's issuing CA certificate should be trusted by the API Gateway. This is because for a CRL lookup, the CA public key is needed to verify the signature on the CRL. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the API Gateway's certificate store instead.


The Name and URL of all currently configured LDAP directories are displayed in the table on the CRL Certificate Validation screen. The API Gateway checks the CRL of all selected LDAP directories to validate the client certificate. The filter fails as soon as the API Gateway determines that one of the CRLs has revoked the certificate.

To configure LDAP connection information, complete the following fields:


Enter an appropriate name for the filter.

LDAP Connection:

Click the button on the right, and select the LDAP directory to check its CRL. If you wish to use an existing LDAP directory, (for example, Sample Active Directory Connection), you can select it in the tree. To add an LDAP directory, right-click the LDAP Connections tree node, and select Add an LDAP Connection.

Alternatively, you can add LDAP connections under the External Connections node in the Policy Studio tree view. For more details on how to configure LDAP connections, see the topic on Configuring LDAP Directories.