ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Changes in the way gateway processes Certificate Revocation List (CRL) when cache expires
Article ID: 107093
Updated On:
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
What are the Changes in the way gateway processes Certificate Revocation List (CRL) when cache expires
Environment
Release:
Component: APIESM
Component: APIESM
Resolution
From 9.2 CR10 and 9.3 CR04 onwards, a new cluster wide property (CWP) is going to be introduced. pkix.crl.invalidateCrlCacheOnNextUpdate will by default be set to false so that existing gateway users are not affected.
When pkix.crl.invalidateCrlCacheOnNextUpdate is set to true, the gateway will invalidate the CRL on next update.
The log messages in the ssg logs have also been enhanced to include extra log if the CRL is beyond the validity period.
logger.severe("CRL [URL] is beyond validity period, hence no longer used for revocation prior to the CertPathValidatorException
See following for full list of CWP’s for certificate validation.
https://docops.ca.com/ca-api-gateway/9-3/en/reference/gateway-cluster-properties/certificate-validation-cluster-properties/
When pkix.crl.invalidateCrlCacheOnNextUpdate is set to true, the gateway will invalidate the CRL on next update.
The log messages in the ssg logs have also been enhanced to include extra log if the CRL is beyond the validity period.
logger.severe("CRL [URL] is beyond validity period, hence no longer used for revocation prior to the CertPathValidatorException
See following for full list of CWP’s for certificate validation.
https://docops.ca.com/ca-api-gateway/9-3/en/reference/gateway-cluster-properties/certificate-validation-cluster-properties/
Feedback
Yes
No
Powered by
