Black Box ET0010A User Manual
Validating Certificates
EncrypTight User Guide
287
Deleting a Certificate
Delete external certificates if they have expired or are no longer used. External certificates are the only
type of certificate that you can delete from the EncrypTight appliance. You can overwrite existing
management ID certificates to replace them, but you cannot explicitly delete them.
type of certificate that you can delete from the EncrypTight appliance. You can overwrite existing
management ID certificates to replace them, but you cannot explicitly delete them.
CAUTION
You must have at least one external certificate installed on the EncrypTight appliance. Deleting an external
certificate that is currently being used for authentication will cause management communications to fail.
certificate that is currently being used for authentication will cause management communications to fail.
To delete an external certificate:
1 Turn off strict authentication on the ETEP in the configuration editor and push the new configuration,
1 Turn off strict authentication on the ETEP in the configuration editor and push the new configuration,
or use the strict client authentication disable CLI command. (For more information, see
2 In the Appliances view, right-click the appliance with the certificate that you want to delete, and click
View Certificates in the shortcut menu. The certificates that are installed on the selected appliance
are added to the Certificate view.
are added to the Certificate view.
3 In the Certificates view, right-click the target certificate and click Delete from the shortcut menu. The
certificate is removed from the Certificates view and is no longer available to authenticate peers.
Validating Certificates
Generally, certificates are considered valid until they expire. However, certificates can be revoked by CAs
when necessary. Devices can check the validity of a certificate using certificate revocation lists (CRLs) or
the online certificate status protocol (OCSP).
when necessary. Devices can check the validity of a certificate using certificate revocation lists (CRLs) or
the online certificate status protocol (OCSP).
This section includes the following topics:
●
●
Validating Certificates Using CRLs
Certificate authorities publish certificate revocation lists (CRLs) to identify certificates that it considers
invalid. Certificates include a field called a CRL Distribution Point extension, which provides a URL for
the certificate authority that has its CRL.
invalid. Certificates include a field called a CRL Distribution Point extension, which provides a URL for
the certificate authority that has its CRL.
By default, the EncrypTight software and the ETKMSs examine received certificates to determine the
URL to use and check this location for CRLs. You must obtain and install a copy of the CRL on the
ETEPs that you use.
URL to use and check this location for CRLs. You must obtain and install a copy of the CRL on the
ETEPs that you use.
You can configure the management workstation and the ETKMSs to check for a copy of the CRL in a
local directory that you specify. In either case, all EncrypTight components check the CRLs the first time
a device initiates communication and then stores the CRL until it expires.
local directory that you specify. In either case, all EncrypTight components check the CRLs the first time
a device initiates communication and then stores the CRL until it expires.
Storing the CRLs locally can accelerate the process of checking CRLs and helps minimize false
authentication failures due to revocation check failures. However, if you choose to store CRLs locally,
authentication failures due to revocation check failures. However, if you choose to store CRLs locally,