Default Certificate Validation Settings

In Phase 1 negotiations, participants check the Certificate Revocation List (CRL) to see if certificates received during an IKE exchange are still valid. If a CRL did not accompany a CA certificate and is not loaded in the security device database, the device tries to retrieve the CRL through the LDAP or HTTP CRL location defined within the certificate itself. If there is no URL address defined in the certificate, the security device uses the URL of the server that you define.

Online Certificate Status Protocol (OCSP) is an alternative way to check the status of a digital certificate. OCSP may provide additional information about the certificate. It may also provide the certificate status in a more timely manner.

Note: With ScreenOS 2.5 and later, you can disable the checking of a CRL's digital signature when you load the CRL. However, disabling CRL certificate checking compromises the security of your security device.

To Define Default Settings

Enter the necessary information:

Certificate Revocation Check Settings

Check Method:

CRL: Select this option to have the security device use only CRL to check the certificate status.
OSPF: Select this option to have the security device use only OSPF to check the certificate status.
None: Select this option to disable CRL certificate checking.
Best Effort: Select this option to have the security device use CRL to check the certificate status, but if there is no information that indicates that the certificate is revoked, accept the certificate.

CRL Settings:

URL Address: Enter the internal web-based URL of the LDAP server managing your CRL.
LDAP Server: Enter the IP address or domain name of the LDAP Root CA server that manages the CRL.
Refresh Frequency: This is applicable to the CRL only. From the drop-down menu, select whether you want to update the CRL daily, weekly, monthly, or according to the default setting (which updates the CRL shortly after the next scheduled update).

OCSP Settings:

URL Address: Enter the internal web-based URL of the OCSP server.

Click Advanced Settings to specify a Certificate Authority (CA) with which the security device verifies the OCSP response.

Click OK to save the settings.

You can configure certificate validation on a per-CA basis. See CA Server Settings.