cancel
Showing results for 
Search instead for 
Did you mean: 

Client CRL Checking Final Config

Highlighted
Contributor

Client CRL Checking Final Config

I was failing CRL checking, causing clients to not be able to login. Here's the final config I'm using (3 level CAs).
Machine-Cert --> CAISSUEWA1 --> CAISSUE1 --> CAROOT

1. The client issuing CA (CAISSUEWA1) should have CRL Checking Options set to use: "CDP specified in client certificates". if that is being published.
- Tick Verify Trusted Client CA
- Tick Trusted for Client Authentication
- Untick Participate in Client Certificate Negotiation.

2. The issuing CA (CAISSUEWA1) has the CRL URL of its parent CA (CAISSUE1) in its cert. Copy this URL and paste it in the CRL option of its parent using CRL Checking Option: "manually configured CDP".
- Tick Verify Trusted Client CA
- Tick Trusted for Client Authentication
- Untick Participate in Client Certificate Negotiation.

3. The Root CA (CAROOT) has CRL disabled.
- Untick Verify Trusted Client CA
- Tick Trusted for Client Authentication
- Untick Participate in Client Certificate Negotiation.
1 REPLY 1
Highlighted
Moderator

Re: Client CRL Checking Final Config

Which one is failing?
Did enabling the CRLon root work?