Configuring certificate validation

You can use the “Certificate validation method” group policy to configure how certificates are validated or rejected by using a Certificate Revocation List (CRL) stored on a revocation server.

To configure how certificates are validated

  1. On a Windows computer, open Group Policy Management and select the Group Policy object where you enabled smart card support for Red Hat Linux computers; right-click the Group Policy object, then click Edit.
  2. In the Group Policy Management Editor, expand Computer Configuration > Policies > Centrify Settings > Linux Settings, click Security, then double-click Certificate validation method.
  3. Select Enabled.
  4. Choose one of the following options from “Certificate Revocation List”:

    • Off: To disable certificate validation.

      If you select this setting, no revocation checking is performed.

    • Best attempt: To check that certificates are not rejected as invalid, untrusted, or revoked by the certificate revocation list (CRL).

      This setting is appropriate for most organizations.

    • Require if cert indicates: To check whether there is a successful connection to the revocation server.

      If a URL to the revocation server is provided in the certificate, this setting requires a successful connection to a revocation server, and checks that certificates are not rejected as invalid, untrusted, or revoked by the CRL. You should only use this setting in a tightly controlled environment that guarantees the presence of a CRL server. If a CRL server is not available, certificate validation may prevent furthering processing of an authentication request.

    • Require for all certs: To require successful validation of all certificates.

      You should only use this setting in a tightly controlled environment that guarantees the presence of a CRL server. If a CRL server is not available, certificate validation may prevent furthering processing of an authentication request.

  5. Click OK to save the policy settings.
  6. To apply the group policy immediately to any computer, restart the computer or run the adgpupdate command on it.

    Otherwise, all affected computers will be updated automatically at the next group policy update interval.