Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/ssl/authpol/validity
Certificate Validation Check Menu
When authenticating a client during the SSL handshake process, Alteon sends a client certificate request to the client. To complete the handshake, the client then sends the client certificate to Alteon to be validated. If the certificate is valid, the handshake process is complete on both sides of the transaction and the data is sent from the client. If the certificate is not valid, the session is terminated.
Note: If the same client certificate arrives at two different SPs, a Online Certificate Status Protocol (OCSP) query is sent to the OCSP that responded, even if the OCSP is cache-enabled.
 
Client Authentication Policy Policy_1 Validation Menu]
method - Set certificate validation check method
ocspmode - Set OCSP validation mode
staturi - Set static URI for OCSP validation requests
stpleuri - Set static URI for OCSP stapling requests
statsecuri - Set secondary static URI for OCSP validation requests
stplsecuri - Set secondary static URI for OCSP stapling requests
uriprior - Set OCSP URI priority
stplepri - Set OCSP Stapling URI priority
crluri - Set CRL Distribution Point (CDP) URI Priority
cachtime - Set OCSP response cache time
timedev - Set OCSP response time deviation
algorthm - Set allowed signing algorithm for the OCSP response
crlfile - Set CRL file
crlgroup - Set backup CRL Distribution Points group
gracetime - Set CDP general grace time
interval - Set CDP update interval
vchain - Enable/Disable validating every CA certificate in the CA chain using OCSP
secure - Enable/Disable secure OCSP response by sending random nonce
with the request
retries - Set number of retries to OCSP servers
cur - Display current validity configuration
 
Certificate Validation Check Menu 
Command Syntax and Usage
method
 
Specifies the method for validating whether a certificate, that was already validated as issued by a trusted entity, has not been revoked.
Values:
*none — No revocation check is performed.
*OCSP — Certificate revocation status is checked using the Online Certificate Status Protocol.
*CRL — Certificate revocation status is checked in the Certificate Revocation List imported to Alteon.
Relevant only for Client Authentication Policy.
*CDP — Certificate revocation status is checked in the Certificate Revocation List downloaded from the CRL Distribution Point.
Relevant only for Client Authentication Policy.
Default: none
ocspmode [ocsp|stapling|both]
 
Specifies the OCSP validation mode.
Valid values:
*ocsp — On a Client authentication policy, Alteon validates the client certificate.
On a Server authentication policy, Alteon validates the server certificate, vis-à-vis the OCSP servers.
*stapling — On a Client authentication policy, Alteon sends the server certificate accompanied by the OCSP staple retrieved from OCSP server, to the client, attesting that the certificate is not revoked. This allows the client to validate the server certificate provided by Alteon without communicating with the OCSP servers.
On a Server authentication policy, Alteon requests the OCSP status from the backend server (OCSP Staple), allowing Alteon to validate the certificate received from server without communicating with the OCSP servers.
*both (Relevant only for Client authentication policy) — Alteon validates the client certificate and staples the server certificate it sends to the client.
*fallback (Relevant only for Server authentication policy) — Alteon requests the OCSP status from the server (OCSP Staple). If OCSP staple is not received, Alteon validates the server certificate by communicating with the OCSP Servers.
staturi
 
Specifies the static URI for OCSP validation requests.
stpleuri
 
Enter the static URI for sending OCSP Stapling validation requests.
<"URL character string">
statsecuri
 
Enter the secondary static URI for sending OCSP validation requests.
stplsecuri
 
Enter the secondary static URI for sending OCSP Stapling validation requests.
uriprior
 
The OCSP access point can be configured (static URI) or can be provided in the certificate (in the Authority Information Access extension). The OCSP URI priority defines whether to check first if the location is provided in the certificate or not.
Values:
*staticuri — Always access the statically configured URI.
*clientcert — Check for the location in the certificate and, if not available, use the static URI.
Default: clientcert
stplepri [clientcert|staticuri]
 
The OCSP access point can be configured (static URI) or can be provided in the certificate (in the Authority Information Access extension). The OCSP URI priority defines whether to check first if the location is provided in the certificate or not.
Values:
clientcert (Certificate OCSP URI) — Check for the location in the certificate and, if not available, use the static URI.
staticuri (Static URI) — Always access the statically configured URI.
Default: clientcert
crluri embedded|userdefined
 
Specifies whether to first access the CDP URI received in the certificate extensions, or always use the locations defined by the user in the CDP group.
Values:
*embedded — Check for the location in the certificate and, if not available, use the static URI.
Default: embedded
cachtime <0 – 180000>
 
Specifies the length of time for which the OCSP response is cached, in seconds.
timedev <0 – 2678400>
 
Allows to overlook small deviations, in seconds, between Alteon and OCSP server timestamps when performing OCSP signature verification.
Default: 75
algorthm all|md5|sha1|sha256|sha384|sha512
 
Specifies the signing algorithms allowed for the OCSP response.
Default: all
crlfile
 
Specifies the Certificate Revocation List (CRL) file.
crlgroup
 
Specifies the group of CRL Distribution Points that Alteon should contact to retrieve the CRL file.
gracetime <0-100000>
 
Specifies how long, in minutes, you can continue using a CRL file that has expired. Such an event can occur when communication to the CDP servers fails, or when an expired file is received.
interval <0-720000>
 
Specifies at which interval, in minutes, to access the CDP servers and download the CRL file.
vchain disabled|enabled
 
Specifies whether to enable validation of every certificate in the certificate chain, or only of the authenticated element (client/server) certificate.
Default: disabled
secure disabled|enabled
 
Specifies whether to verify that the certificate status information received from the OCSP responder is up-to-date by sending a random nonce (a random sequence of 20 bytes) in the OCSP request. The OCSP responder must use its secret key to sign the response containing this nonce.
Default: enabled
retries
 
Specifies the number of retries to OCSP servers.
Values: 1-5
Default: 3
cur
 
Displays the current status for all validity settings.