The CA API Gateway is capable of validating client certificates in numerous ways. It can validate chains of trust, validate the validity and expiry periods of certificates, and check certificates against certificate revocation lists (CRL). This article will focus on leveraging a CRL from an external site to validate users or systems consuming services published in and protected by a Gateway cluster. The context of this article will focus on leveraging a CRL against a federated identity provider located within the Gateway appliance. This article can be used with directory services (such as Active Directory or generic LDAP directories) or the internal identity provider as necessary.
More information on adding certificates to the Gateway's local certificate trust store can be found within the Policy Manager User Manual for the applicable version of the Gateway.
Client Certificate Revocation Checking for Client certificate authentication
Federated Identity Provider configure for x509 using trusted certificate of the RootCA signing the client certificates (NOTE no user certs added to this FIP)
Client access Gateway end-point browser install P12 client certificate issued by the RootCA trusted certificate added to the FIP.
Authenticated against the ID provider (FIP)
Validate certificate assertions performs Revocation Checking (CRL checking)