4.6.13 Configure Certificate Revocation Checking

When you use digital certificates to authenticate hosts, you can ensure that those certificates are valid by configuring certificate revocation checking. This feature checks the certificate revocation lists (CRLs) specified by the CRL Distribution Point (CDP) field of the certificate to determine whether the certificate has been revoked.

In Extra!, you can enable CRL checking for all sessions that use Secure Shell certificates and for 3270 sessions that use Micro Focus SSL/TLS security settings.

To enable CRL checking for a Secure Shell session

  1. With a session file open, choose Options > Settings.

  2. On the left, select Connection.

  3. On the General tab, click the Advanced button.

  4. In the Reflection Secure Shell Settings dialog box, click the PKI tab.

  5. Select either Use OCSP or Use CRL.

    NOTE:If CRL checking is enabled in Internet Explorer (via the Check for server certificate revocation* option), Use CRL will be selected by default in all Extra! SSH sessions.

Your settings are saved to an SSH configuration scheme. CRL checking will be applied in all sessions that use this SSH configuration scheme.

To enable CRL checking for an SSL/TLS session (3270 only)

  1. With a session file open, choose Options > Settings.

  2. On the left, select Connection.

  3. On the General tab, click the Add button.

  4. In the Configure Connection dialog box, make sure that Security Type is set to SSL v3.0 or TLS v1.x.

  5. Under Server Authentication, select one or both of the following:

    • Use Certificate Revocation List A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

    • Use Online Certificate Status Protocol A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.

      NOTE:Unlike SSH sessions, this CRL setting is independent of the Internet Explorer CRL option Check for server certificate revocation*.