Configure settings for certificate validation

Certificate validation settings allow you to define the settings that the Security Engine uses when it connects to a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) server.

The Security Engine validates certificates and checks the certificate revocation status for features that have certificate validation and certificate revocation checks enabled, such as features that use a TLS Profile in the configuration.

For more details about the product and how to configure features, click Help or press F1.

Steps

Right-click a Engine, IPS, or Layer 2 Engine element, then select Edit <element type>.
Browse to Advanced Settings > Certificate Validation.
(Optional) If the Security Engine cannot access external networks directly, select the HTTP proxy through which OCSP and CRL lookups are sent.
(Optional) Enter the timeout for communication from the Security Engine to the CRL or OSCP server.
The default timeout is 120 seconds.
Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Certificate Validation

Use this branch to specify settings for certificate validation and revocation status checks on the engine. The settings are used for features that have certificate validation and certificate revocation checks enabled.

Note: These settings are not supported for Virtual Engines.

Option	Definition
HTTP Proxy (Optional)	When specified, Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) lookups are sent through an HTTP proxy instead of the engine accessing the external network directly.
Timeout for OCSP and CRL Lookups	The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds.
Active destination server certificate probing	When selected, it enables the Security Engine to fetch the server certificate over a separate TLS connection before establishing the original connection. The original connection is the TLS connection that a client tries to open through the engine to a destination server.
Server certificate cache timeout	The set value for this field determines how long the previously fetched certificates are to be retained. Note: By default, the timeout value for certificate entries in the cache is 1 day.
Distribution Points to Prefetch	Specify the URLs of the distribution points to prefetch CRLs and store them in the CRL Cache in advance. This allows for certificate validation to occur even if the network connection to the CRL server is unavailable during the validation process. Note: The CRLs remain available after reboot, if they are still valid. The CRLs are periodically refreshed to ensure valid entries are available in the CRL Cache. Prefetched CRLs are used for certificate validation when the dynamic revocation information fetching fails.