PingFederate Server

Configuring certificate revocation

You can choose whether to use certificate revocation list (CRL) checking or Online Certificate Status Protocol (OCSP) checking as your preferred verification method.

About this task

By default, OCSP revocation checking is enabled. Optionally, on Security → Certificate & Key Management → Certificate Revocation Checking, you can enable CRL checking as a backup method for failover. Alternatively, depending on your requirements, you can disable OCSP checking and rely only on CRL checking. For more information, see Certificate validation.

Steps

  1. Optional: Configure OCSP.

    For more information about each field, see the following table.

    Field Description

    Enable OCSP

    Turns on OCSP certificate-revocation checking.

    OCSP checking is enabled by default.

    Default OCSP Responder URL

    A URL to use for certificate-revocation checking, a backup used only if the OCSP Responder URL is not contained in the certificate.

    Default OCSP Responder Signature Verification Certificate

    Certificate used to verify that the returned certificate status was sent from the Default OCSP Responder—required if the certificate is not included in the response.

    Click Manage Certificates to import the verification certificate.

    Do NOT allow Responder to use cached responses

    When not selected, the OCSP Responder uses cached responses when available for the subject certificate for an indicated period of time—see the description for Next Update Grace Period.

    If checked, PingFederate sends a nonce in the request to the Responder, effectively requiring that the status of the certificate be determined in real time. This option is intended to enhance the prevention of Internet replay attacks (in addition to timestamping), where required.

    Making this selection might slow down OCSP response time for a request and will increase general processing overhead at the Responder site.

    This check box is not selected by default.

    This Update Grace Period (min)

    To consider the response valid, the PingFederate server-clock time must correspond to the <thisUpdate> timestamp in the OCSP response, plus or minus the number of minutes set for this field to compensate for clock variances.

    The default value is 5 minutes.

    Next Update Grace Period (min)

    If the response includes a <nextUpdate> timestamp indicating when updated certificate statuses are available, then PingFederate checks to ensure that the timestamp is not earlier than the current server time, adding this grace period to compensate for clock variances.

    The default value is 5 minutes.

    Responder Timeout (sec)

    The allowable response time before the OCSP Responder URL is considered unavailable and processing continues. See the OCSP Responder is Unavailable setting.

    The default value is 5 seconds.

    Response Caching Interval (hrs)

    The number of hours that PingFederate caches the OCSP response.

    The default value is 48 hours.

    Certificate is Unknown

    The certificate does not fall under the purview of the certificate authority (CA) associated with the OCSP Responder. The choices indicate whether an unknown certificate is considered valid, or whether to try CRL checking.

    The default selection is Treat as Revoked.

    OCSP Responder is Unavailable

    Indicates what action to take if you cannot reach the Responder. The choices indicate whether an unknown certificate is considered valid, or whether to try CRL checking.

    The default selection is Treat as Valid.

    OCSP Responder Returns Error

    Indicates what action to take if the Responder returns an error. The choices indicate whether an unknown certificate is considered valid, or whether to try CRL checking.

    The default selection is Treat as Revoked.

  2. Optional: Configure CRL checking.

    For more information about each field, see the following table.

    Field/Selection Description

    Enable CRL Checking

    Enables CRL revocation checking.

    CRL checking must remain enabled if any selections for OCSP Error Handling include failover. If OCSP is enabled and no CRL failover is specified, then this selection has no effect.

    CRL revocation checking is disabled by default.

    Treat Unretrievable CRLs as Revoked

    If selected, PingFederate immediately aborts the processing associated with the certificate.

    If not selected, the server treats the certificate as valid but continues trying to retrieve the CRL.

    This check box is not selected by default.

    Next Retry on Resolution Failure (min)

    Specifies the number of minutes the server waits before trying to retrieve a CRL when the previous attempt failed—applies only when Treat Unretrievable CRLs as Revoked is unchecked.

    The default value is 1440 minutes, which is 24 hours.

    Next Retry on Next Update Expiration (min)

    How long the server waits before requesting a new CRL when the most recently retrieved CRL (in cache) has a next-update time in the past.

    Certain actions in the administrative console, such as saving changes to an identity provider (IdP) adapter instance, reset the CRL cache. When this happens, PingFederate requests new CRLs for subsequent transactions as needed.

    The default value is 60 minutes.

    Verify CRL Signature

    When selected (recommended), PingFederate verifies the CRL signature using the public key of the issuer, which must be in the certificate chain or in the list of Trusted CAs.

    This check box is selected by default.

    Proxy Settings

    If CRL checking is routed through a proxy server, specify the server’s host DNS name or IP address and the port number. The same proxy information applies to OCSP checking, when enabled.