Certificate validation method

Path

Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Certificate validation method

Description

Specify the certificate validation method to use for the Mac computer.

Note:   This group policy has no effect on the “Keychain Access > Preferences > Certificates” settings. Keychain Access > Preferences are per-user settings, which are not used by a Mac computer during login. This group policy changes Centrify SmartCardTool > Revocation settings, which represent the system settings used by a Mac computer during login.

This policy allows you to choose either one, or both of the two common methods for verifying the validity of a certificate:

  • Certificate Revocation List: Use a certificate revocation list (CRL) from a revocation server.
  • Online Certificate Status Protocol: Use an online certificate status protocol (OCSP) responder to validate certificates.

    If you select this option, you can specify a local responder to override the one provided in the certificates.

For each validation option, you can select one of the following settings:

  • Off: No revocation checking is performed.
  • Best attempt: The certificate passes unless the server returns an indication of a bad certificate.

    This setting is recommended for most environments.

  • Require if cert indicates:  If the URL to the revocation server is provided in the certificate, this setting requires a successful connection to a revocation server as well as no indication of a bad certificate.

    Specify this option only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.

  • Require for all certs: This setting requires successful validation of all certificates.

    Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.

  • Local Responder: If you choose to validate the certificate via OCSP, you can specify a local responder to override that provided in the certificates.
  • Priority: The priority determines which method (OCSP or CRL) is attempted first.

    If the first method chosen returns a successful validation, the second method is not attempted, unless you choose to require both.