Managing Certificates with a CRL
Use the Manage CA Certificate page in AMC to configure certificate revocation checking for individual
certificates, and determine the connection types the certificate is used to secure.
To verify the validity of a client certificate and configure certificate revocation
In the AMC, navigate to System Configuration > SSL Settings.
Under CA Certificates, click Edit on the NNN certificates line.
All of the installed certificates are displayed.
To see details about a certificate, click the right arrow ( ) in the second column. To edit a certificate,
click its link. For example:
Click the right arrow ( ) next to a GlobalSign certificate to see its details.
Click the link to edit it.
The Manage CA Certificate page displays.
In the Used for area, specify the connection types this certificate is used to secure.
To specify CRL settings, check the Use Certificate revocation list in the Certificate revocation checking area.
The format for the CRL must be DER-based (
.crl); the appliance cannot use a CRL
that's been created in PEM format.
The appliance retrieves lists of revoked certificates from a CRL distribution point (CDP). Specify the
location of this CDP:
The CDP is usually specified in the certificate itself. By default, the appliance uses the CDP from the client certificate.
Alternatively you can specify a URL for it. Check the Use this certificate distribution point (CDP) checkbox. If a login is required for it, type the credentials.
- If Use this certificate distribution point (CDP) is selected, you can specify how often the CRL should be
retrieved using the Download CRL every <n> hours option. If you don’t specify a download interval, a
new CRL is retrieved when the old one expires. (CRLs are updated frequently so that when a certificate is
revoked, that information is distributed in a timely manner).
- The appliance checks client certificates against this list. To perform CRL checking for the entire chain of
certificates, starting with the CA root certificate, select the Validate the entire chain checkbox.
- Specify whether users should be allowed or denied access if the CDP is inaccessible by selecting Allow
user access or Block user access. The remote CDP you specified might be offline, or it may not be
indicated on the certificate. (It is an optional item for the X.509 standard, not a mandatory one.)
Was This Article Helpful?
Help us to improve our support portal