Contents
A Certificate Revocation List (CRL) is a signed list indicating a set of certificates that are no longer considered valid (revoked certificates) by the certificate issuer. API Gateway can query a CRL to find out if a given certificate has been revoked. If the certificate is present in the CRL, it should not be trusted.
To validate a certificate using a CRL lookup, the certificate's issuing CA certificate should be trusted by API Gateway. This is because for a CRL lookup, the CA public key is needed to verify the signature on the CRL. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from API Gateway's certificate store instead.
The Name and URL of all currently configured LDAP directories are displayed in the table on the CRL Certificate Validation window. API Gateway checks the CRL of all selected LDAP directories to validate the client certificate. The filter fails as soon as API Gateway determines that one of the CRLs has revoked the certificate.
To configure LDAP connection information, complete the following fields:
Name:
Enter an appropriate name for the filter.
LDAP Connection:
Click the button on the right, and select the LDAP directory to check its
CRL. If you wish to use an existing LDAP directory, (for example, Sample
Active Directory Connection), you can select it in the tree. To add
an LDAP directory, right-click the LDAP Connections
tree node, and select Add an LDAP Connection.
Alternatively, you can add LDAP connections under the External Connections node in the Policy Studio tree view. For more details on how to configure LDAP connections, see the topic on Configure LDAP directories.
