The CA server you use can be owned and operated by an independent CA or by your own organization, in which case you become your own CA. If you use an independent CA, you must contact them for the addresses of their CA and CRL servers (for obtaining certificates and certificate revocation lists), and for the information they require when submitting personal certificate requests. When you are your own CA, you determine this information yourself.
Enter the necessary information in the following fields.
X509 Certificate Path Validation Level: Within X509 is a specification for a certificate which binds an entity's distinguished name to its public key through the use of a digital signature. Select Full to validate the certificate path all the way back to the root, or select Partial to validate it only part of the way. The CRL distribution point extension (.cdp) in an X509 certificate can be either an HTTP URL or an LDAP URL.
Certificate Revocation Check Settings:
CRL: Select this option to have the security device use only CRL to check the certificate status.
OCSP: Select this option to have the security device use only OCSP to check the certificate status.
None: Select this option to disable CRL certificate checking.
Best Effort: Select this option to have the security device use CRL to check the certificate status, but if there is no information that indicates that the certificate is revoked, accept the certificate.
CRL Settings:
URL Address: Enter the internal web-based URL of the LDAP server managing your CRL.
LDAP Server: Enter the IP address or domain name of the LDAP Root CA server that manages the CRL.
Refresh Frequency: This is applicable to the CRL only. From the drop-down menu, select whether you want to update the CRL daily, weekly, monthly, or according to the default setting (which updates the CRL shortly after the next scheduled update).
OCSP Settings:
URL Address: Enter the internal web-based URL of the OCSP server.
Click Advanced Settings to specify a Certificate Authority (CA) with which the security device verifies the OCSP response.
SCEP Settings:
RA CGI: (Registration Authority Certificate Generation Information) Enter the RA URL where the security device will request a CA certificate.
CA CGI: (Certificate Authority Certificate Generation Information) Enter the CA URL.
Note: Depending on the Certificate Authority, the URLs for RA and CA might be the same.
CA IDENT: Enter the name of the certificate authority for purposes of certificate ownership, if necessary.
Challenge: Enter the challenge word(s) sent to you by the CA that will prove your identity to the CA.
Click Advanced Settings to configure Advanced SCEP settings such as polling interval and certificate authentication.
Click OK to save the settings.