Adding certification authorities and configuring certificate revocation control
SDMC makes it possible to add certificates from your certification authorities to your security policies, so that the SDS Enterprise agent can monitor users' certificate trust chain.
It also allows you to set up revocation control, which is the only way to indicate that a user's certificate must no longer be used. For example, if the owner of the certificate no longer belongs to a group, if the user's key may have been compromised, or if the user has obtained another certificate.
Revocation control can be performed either thanks to a Certificate Revocation List (CRL) or thanks to the OCSP protocol. In this case, the OCSP responder’s URL address must be specified in the certificate.
Such data is generated by the administrator of the public key infrastructure (PKI) that the organization uses.
SDMC makes it possible to list the CRL distribution points for every certification authority that issues certificates to your users. This list is specific to each security policy.
SDS Enterprise agents download CRLs from the indicated distribution points so that the validity of users' certificates can be verified.
Three aspects of a certificate are verified:
- The certificate itself: format, validity dates, signature, extension, etc.;
- The trust chain: It must be possible to establish a complete chain, up to the certificate from a trusted authority. Each certificate must meet the same level of security as the original certificate being checked. When a certificate in a chain cannot be validated, another chain is verified, until a valid chain is found.
- Revocation control. This check ensures that each certificate in the chain is not on a CRL supplied by the certification authority (or a third party that has the delegation to create CRLs). Since CRLs are also signed by a certificate, the control also checks the certificates applied at the level of the CRLs.
The CRL verification mechanism is described in the standards governing certificates and CRLs (X.509 standard, RFC 3280 and RFC 5280).
There are two ways in which SDS Enterprise agents can obtain the CRLs to be downloaded locally for certificate verifications:
- From the CRL distribution list set in the authorities' certificate settings,
- From the custom CRL distribution lists indicated for each authority, in the security policy in SDMC.
You can set the number of days CRLs will remain valid.
When you add certification authority certificates in SDMC,they can be looked up in the Authority tab in the trusted address book on user workstations. These certificates allow the SDS Enterprise agent to guarantee that user certificates are issued by trusted authorities and to verify the validity of the certificates.
To add a certificate:
In Policy > Authorities, click on Add from library to the left of the panel.
Select one or more certificates out of the ones that were added earlier in the Certificate library menu.
The settings of certification authority certificates contain CRL distribution lists. If you wish to indicate the custom CRL distribution lists for each authority, refer to the following section.
To customize the CRL distribution points for each certification authority, go to Policy > Authorities. You can indicate as many distribution points as you need. To download CRLs, the SDS Enterprise agent looks up these distribution points in addition to the one indicated in the certificate of each authority.
Indicate a CRL validity period. This is the duration after which the SDS Enterprise agent downloads CRLs again locally to ensure that they always have updated data.
Select a certification authority from the left side of the panel.
To the right of the panel, indicate one or several CRL distribution points for each selected authority. The distribution point can be accessed via the following protocols:
http:// or https://
LDAP:// or LDAPS://
Change the order of distribution points if necessary by clicking and dragging.
From their SDS Enterprise accounts, users can look up the list of certification authorities and CRL distribution points. For more information, refer to the section Looking up certification authorities from the SDS Enterprise agent.