Configure settings for certificate validation

Certificate validation settings allow you to define the settings that the Secure SD-WAN Engine uses when it connects to a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) server.

The Secure SD-WAN Engine validates certificates and checks the certificate revocation status for features that have certificate validation and certificate revocation checks enabled, such as features that use a TLS Profile in the configuration.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Engine, IPS, or Layer 2 Engine element, then select Edit <element type>.
  2. Browse to Advanced Settings > Certificate Validation.
  3. (Optional) If the Secure SD-WAN Engine cannot access external networks directly, select the HTTP proxy through which OCSP and CRL lookups are sent.
  4. (Optional) Enter the timeout for communication from the Secure SD-WAN Engine to the CRL or OSCP server.
    The default timeout is 120 seconds.
  5. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Certificate Validation

Use this branch to specify settings for certificate validation and revocation status checks on the engine. The settings are used for features that have certificate validation and certificate revocation checks enabled.

Note: These settings are not supported for Virtual Engines.
Option Definition
HTTP Proxy

(Optional)

When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly.
Timeout for OCSP and CRL Lookups The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds.
Active destination server certificate probing When selected, it enables the Secure SD-WAN Engine to fetch the server certificate over a separate TLS connection before establishing the original connection.
Server certificate cache timeout The set value for this field determines how long the previously fetched certificates are to be retained.