Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Certificate Validation Cluster Properties

Last update September 4, 2018

The following cluster properties configure the settings used in the Manage Certificate Validations task and for expiration checking.

Tip: Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.

Property

Description

pkix.crl.cacheExpiryAge

Expiration time for LDAP and HTTP caches used by Certificate Revocation Lists (CRL) . Value is a time unit.

Default: 5m 

pkix.crl.defaultExpiryAge

Expiration time for Certificate Revocation Lists (CRL) if the CRL does not have one. The expiry age refreshes the list. Value is a time unit.

Default: 1h

pkix.crl.maxExpiryAge

Maximum expiration time for a Certificate Revocation List (CRL). This value is used if the CRL's expiry age is greater than what is defined by this cluster property. Value is a time unit.

Default: 7d  

pkix.crl.maxSize

Maximum size for a Certificate Revocation List (CRL). A value of zero indicates unlimited size.

Default: 1048576

pkix.crl.minExpiryAge

Minimum expiration time for a CRL. This value is used if the CRL's expiration is less than what is defined by this cluster property. Value is a time unit.

Default: 1h  

Note: If the minimum expiration time is used, the CA API Gateway may be using a stale CRL.

pkix.crl.invalidateCrlCacheOnNextUpdate

Invalidates the Certificate Revocation List on next update time that is embedded in the CRL. Value is a Boolean.

Default: false

pkix.csr.defaultExpiryAge

Certificate expiration time on the CSR server. Used for internal users without a configured expiry time, or for certificates issued for LDAP users.

Default: 730 (days)

pkix.keyUsage

Controls X.509 key usage. Values are:

  • IGNORE: Accepts and uses certificates for purposes other than for what they were designated to be used.

  • ENFORCE: Uses certificates only for their stated purposes, as described in the "Key usage" and "Ext. key usage" sections in the [Details] tab of a certificate's properties. For details, see "Certificate Expiration Notification" in Manage Certificates. If a certificate does not contain key usage or extended key usage information marked as critical, the certificate is treated as if all possible usages are enabled (the same as the 'IGNORE' setting).

Default: ENFORCE

Note: Requires a CA API Gateway restart for changes to take effect.

pkix.keyUsagePolicy

Overrides the default key usage policy. A long XML string defining a key usage enforcement policy. For details, see "Recognized Action Names" in Key Usage Enforcement Policy.

Default: <empty> (system default policy is used)

pkix.ocsp.defaultExpiryAge

Cache time for Online Certificate Status Protocol (OCSP) responses. Specifies how long an OCSP response is retained for an individual certificate validation attempt before discarding it and retrieving a new one. Value is a time unit.

Default: 1m (used if the OCSP response does not include its own expiry age)

pkix.ocsp.maxExpiryAge

Maximum expiration for a cached OCSP response. Used if the OCSP response's expiration is greater than what is defined by this cluster property. Value is a time unit.

Default: 15m 

pkix.ocsp.minExpiryAge

Minimum expiration for a cached OCSP response. Used if the OCSP response's expiration is less than what is defined by this cluster property. Value is a time unit.

Default: 1s 

pkix.ocsp.useNonce

Controls whether to include a nonce in the OCSP requests to protect against replay attacks. Value is a Boolean.

Default: true

Note: Set this property to "false" if the OCSP checking server does not support Nonce. To verify that Nonce is supported, look for the "id-pkix-ocsp-nonce" field in the extensions section of the OCSP request and response.

pkix.permittedCriticalExtensions

Extensions for validating certificates. The value is a list of entity IDs, separated by spaces.

Default: <empty>

pkix.validation.identityProvider

Validation method for identity provider certificates. You can also set this property using Manage Certificate Validation.

  • validate = Validate that the certificate is valid and trusted.

  • validatepath = Validate that the certificate path is valid to a trust anchor.

  • revocation = Validate the certificate path and perform a revocation check using the revocation checking policies.

Default: validate

pkix.validation.other

Validation method for all certificates except for identity provider and routing. You can also set this property using Manage Certificate Validation. See pkix.validation.identityProvider for a description of each setting.

Default: validate

pkix.validation.routing

Validation method for certificates used by the server for routing (i.e., HTTPS, FTPS). You can also set this property using Manage Certificate Validation. See pkix.validation.identityProvider for a description of each setting.

Default: validate

services.
certificateDiscoveryEnabled

Discovers the CA API Gateway SSL certification without user intervention. CA API Gateway - XML VPN Clients send requests to this Gateway. Value is a Boolean.

  • true = Automatic certificate discovery is enabled, without user intervention required.
  • false = Automatic certificate discovery is disabled. The following must be done:

    • XML VPN Client running as an application: When the CA API Gateway - XML VPN Client attempts to trust a server certificate for the first time, a confirmation dialog is displayed, and you must explicitly accept or reject the certificate.

    • XML VPN Client running as a service: Manually configure the server certificate for the XML VPN Client using one of the following methods:

      • If the server certificate is established, manually trust it using the "discover" Gateway command.
      • If the server certificate is not established, manually import it using the "import" Gateway command.

Default: true

Tip: See also the related admin.certificateDiscoveryEnabled cluster property.

Note: Enable the "Policy download service" so the port for server certificate discovery works.

trustedCert.expiryCheckPeriod

Time to wait between successive trusted certificate expiry checks. Value is a time unit. For details, see "Certificate Expiration Notification" under Manage Certificates.

Default: 12h

trustedCert.expiryFineAge

Time before the Gateway logs a FINE audit event for a trusted certificate. Value is a time unit.

Default: 30d 

trustedCert.expiryInfoAge

Time before the Gateway logs an INFO audit event for a trusted certificate. Value is a time unit.

Default: 7d 

trustedCert.expiryWarningAge

Time before the Gateway logs a WARNING audit event for a trusted certificate. Value is a time unit.

Default: 2d 

Was this helpful?

Please log in to post comments.