Dear Techies ,
Could you please let me know what is the best way to validate CRL (certificate revocation list ) in CA API gateway for all incoming request . As i know under manage certificate there is option in each certificate property as revocation checking default are disabled after selecting default it should validate and through error in case if any client trying to access with revoked certificate .
Thanks in advance .
You can do crl checking on incoming requests but typically that means you have the users defined and the certificates defined in the gateway.
Here is a sample use case, IIP=Internal Identity provider but you can use ldap etc..
WSS Sign SOAP Request Sign request element /soapenv:Envelope/soapenv:Body At least one User: test1ssl [IIP] (import client cert test1ssl.pem) User: test2ssl2 [IIP] (import client cert test2ssl2.pem)
I assume if you want to check all users you dont want to do it this way but are all users going to authenticate and use certificate based authentication?
Can you define more of your use case. What traffic is coming in will you be using an ldap will you be authenticating the user? etc...
Thank you for your reply CHARLES LILIENKAMP!!
Yes . I want to check CRL for all user who are trying to access . Also in my environment we are using secure card (included certificate).
I have already imported certificate under manage certificate that is associated with secure card and configured property (signing client cert and trust as enabled ) but here problem is its failing for valid cert as well .
Error message :
2018-01-23T07:35:49.644+0100 INFO 772 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client
certificate for CN=******S***** CA 1, OU=** 017, OU=CA, O=***, C=XX
2018-01-23T07:35:49.644+0100 WARNING 772 com.l7tech.server.identity.fed.FederatedIdentityProviderImpl: 2034: Unable
to build path for Certificate CN=Prashant SrivastavaOU=people, OU=CA, O=***, C=XX: unable to find val
id certification path to requested target; related error(s) [Revocation check failed for certificate 'CN=Prashant S
rivastava (XX), OU=people, OU=XX, O=XX, C=XX.]