Create a new trusted certificate group.
- Click Security and then go to .
- Click + Add Trusted Certificate Group.
- Drag a certificate into the box that appears.
- In the Name field, enter a name for the group.
To set the new group to include the Java Trust Store group, select the
Use Java Trust Store check box.
Select this option if you create your own intermediate certificate authority (CA) certificate that is signed by a well-known CA in the Java Trust Store.
- To allow PingAccess to ignore date-related errors for certificates that are not yet valid or have expired, select the Skip certificate date check check box.
- To check the client certificate revocation status using certificate revocation list (CRL), select the CRL checking check box.
To check the client certificate revocation status using Online Certificate
Status Protocol (OCSP), select the OCSP check box.
If both CRL checking and OCSP are enabled, OCSP checking is used preferentially, and CRL checking is used if OCSP fails.
- To deny access when any certificate in the certificate chain cannot be verified using its CRL endpoint, select the Deny when unable to determine revocation status check box.
To validate client certificate chains that are not in the standard order, such
as a reversed certificate chain of
[root, intermediate, leaf], select the Validate disordered certificate chains check box.
- To skip validation of any CA certificates configured in the trusted certificate group and their subsequent chain of issuers when trusted CA certificates are found in the client certificate chain, select the Bypass trust anchor validation check box.
- Click Add.
Add additional certificates to the new trusted certificate group by dragging
them into the group.
PingAccess has increased
WARNlogging during the certificate revocation check. You can adjust the log level using the AsyncLogger in log4j2.xml (search for "Certificate Revocation").
A commented out
JAVA_SECURITY_OPTSline is shipped as part of the
JAVA_SECURITY_OPTSline enables extra java security logging/debugging for the PKIX CertPathValidator and CertPathBuilder implementations. You can use the ocsp option with the certpath option for OCSP protocol tracing.