Enable certificate revocation checking

You can enable automatic checks for revoked certificates, so that an Online Certificate Status Protocol (OCSP) server blocks users from making non-secure connections.

Before you begin

About this task

Automatic revocation checking is helpful in cases where the CA improperly issued a certificate, or a private key is compromised.

During this task, you can configure an OCSP server or use the server specified in the certificate file. The OCSP server determines if the CA has revoked any certificates before their scheduled expiration date, and then blocks the user from accessing a site if the certificate is revoked.

Procedure

  1. Select Settings > Certificates.
  2. Select the Trusted tab.
    Note: You can also enable revocation checking from the Key Management tab.
  3. Click Uncommon Tasks, and then select Enable Revocation Checking from the drop-down menu.
  4. Select I want to enable revocation checking, so that a checkmark appears in the checkbox and additional fields appear in the dialog box.
  5. In the OCSP responder address field, you can optionally enter a URL for an OCSP responder server. If you do not enter an address, the system uses the OCSP server's URL from the certificate file.
  6. Click Test Address to make certain the system can open a connection to the specified URL.
  7. Click Save.

Result

If the storage array attempts to connect to a server with a revoked certificate, the connection is denied and an event is logged.