Certificate validation method
Path
Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Certificate validation method
Description
Specify the certificate validation method to use for the Mac computer.
Note: This group policy has no effect on the “Keychain Access > Preferences > Certificates” settings. Keychain Access > Preferences are per-user settings, which are not used by a Mac computer during login. This group policy changes Centrify SmartCardTool > Revocation settings, which represent the system settings used by a Mac computer during login.
This policy allows you to choose either one, or both of the two common methods for verifying the validity of a certificate:
- Certificate Revocation List: Use a certificate revocation list (CRL) from a revocation server.
- Online Certificate Status Protocol: Use an online certificate status protocol (OCSP) responder to validate certificates.
If you select this option, you can specify a local responder to override the one provided in the certificates.
For each validation option, you can select one of the following settings:
- Off: No revocation checking is performed.
- Best attempt: The certificate passes unless the server returns an indication of a bad certificate.
This setting is recommended for most environments.
-
Require if cert indicates: If the URL to the revocation server is provided in the certificate, this setting requires a successful connection to a revocation server as well as no indication of a bad certificate.
Specify this option only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.
-
Require for all certs: This setting requires successful validation of all certificates.
Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.
- Local Responder: If you choose to validate the certificate via OCSP, you can specify a local responder to override that provided in the certificates.
-
Priority: The priority determines which method (OCSP or CRL) is attempted first.
If the first method chosen returns a successful validation, the second method is not attempted, unless you choose to require both.