Configuring Certificate Revocation Checking

Reflection SSL/TLS and Secure Shell connections can be configured to authenticate hosts using digital certificates An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted. . To ensure that certificates have not been revoked, you can configure Reflection to check for certificate revocation using CRLs A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid. or using an OCSP A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs. responder.

When CRL checking is enabled, Reflection always checks for CRLs in any location specified in the CRL Distribution Point (CDP) field of the certificate. In addition, Reflection can also be configured to check for CRLs located in an LDAP A standard protocol that can be used to store information in a central location and distribute that information to users. directory or using an OCSP A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs. responder.

Reflection's default value for certificate revocation checking is based on your current system setting. If your system is configured to do CRL checking, all Reflection sessions will check for certificate revocation using CRLs by default.

NOTE:When Reflection is running in DOD PKI mode, certificate revocation is always enabled and cannot be disabled.

To enable CRL checking for all SSH sessions

  1. In Internet Explorer, choose Tools > Internet Options > Advanced.

  2. Under Security, select Check for server certificate revocation.

Using Reflection, you can enable certificate revocation checking using either a CRL or an OCSP responder.

To enable CRL checking for a Secure Shell session

  1. Open the Reflection Secure Shell Settings dialog box.

  2. Click the PKI tab.

  3. Select either Use OCSP or Use CRL.

To enable CRL checking for SSL/TLS sessions

  1. Open the Security Properties dialog box.

  2. On the SSL/TLS tab, click Configure PKI. (Use SSL/TLS security must be selected.)

  3. Select either Use OCSP or Use CRL.

NOTE:CRLs and/or OCSP responders required by a certificate are identified in the AIA and/or CDP extension of the certificate. If this information is not provided in the certificate, you can use the OCSP and LDAP tabs of the Reflection Certificate Manager to configure it.