Black Box ET0010A User Manual
Validating Certificates
EncrypTight User Guide
289
To install a CRL on the ETEP:
1 Switch to the Certificate Manager perspective.
2 In the Appliances view, right-click on the target ETEP and choose Install CRL.
3 Navigate to the appropriate directory and select the CRL file that you want to install.
4 Click Open.
5 Push the modified configuration to the ETEP in order to complete the installation.
1 Switch to the Certificate Manager perspective.
2 In the Appliances view, right-click on the target ETEP and choose Install CRL.
3 Navigate to the appropriate directory and select the CRL file that you want to install.
4 Click Open.
5 Push the modified configuration to the ETEP in order to complete the installation.
To view CRLs
1 In the Appliances view, right-click the target ETEP and click View CRLs in the shortcut menu. A list
1 In the Appliances view, right-click the target ETEP and click View CRLs in the shortcut menu. A list
of installed CRLs is displayed in the CRLs view.
To delete CRLs
1 In the Certificate Manager perspective, select the target ETEP.
2 Click the CRLs tab.
3 Right-click on the CRL that you want to remove and select Delete.
1 In the Certificate Manager perspective, select the target ETEP.
2 Click the CRLs tab.
3 Right-click on the CRL that you want to remove and select Delete.
Handling Revocation Check Failures
Not being able to check a CRL does not automatically indicate that a certificate is expired or revoked,
especially if the CRL is stored on a server on a different network. By default, if an EncrypTight
component cannot check a CRL for any reason, it logs the failure, but still allows a secure
communication session to be created. In the EncrypTight software and on the ETKMS, you can change
this behavior to fail the authentication instead.
especially if the CRL is stored on a server on a different network. By default, if an EncrypTight
component cannot check a CRL for any reason, it logs the failure, but still allows a secure
communication session to be created. In the EncrypTight software and on the ETKMS, you can change
this behavior to fail the authentication instead.
To change the default ETKMS action when a CRL cannot be checked:
1 Log in as root and edit the file
1 Log in as root and edit the file
/opt/etkms/conf/kdist.properties
and add or edit the
following line in the Certificate Configuration section:
ignoreRevocationCheckErrors=false
2 Save and close the file.
To change the default EncrypTight action when a CRL cannot be checked:
1 In EncrypTight, select Edit > Preferences.
2 Click ETEMS to expand the tree and then click Communications.
3 Click Ignore CRL access failure to clear the check box.
4 Click OK.
1 In EncrypTight, select Edit > Preferences.
2 Click ETEMS to expand the tree and then click Communications.
3 Click Ignore CRL access failure to clear the check box.
4 Click OK.
Validating Certificates Using OCSP
As an alternative to using CRLs, you can validate certificates with the online certificate status protocol
(OCSP). With OCSP, the device that wants to check the validity of a certificate reads the certificate to
determine the URL of the OCSP responder and sends a request that identifies the certificate in question.
Organizations can also explicitly specify a URL to use for the OCSP responder. The OCSP responder
returns a signed OCSP response indicating the validity of the certificate.
(OCSP). With OCSP, the device that wants to check the validity of a certificate reads the certificate to
determine the URL of the OCSP responder and sends a request that identifies the certificate in question.
Organizations can also explicitly specify a URL to use for the OCSP responder. The OCSP responder
returns a signed OCSP response indicating the validity of the certificate.