Configure the certificate authority (CA) for the Certificate Revocation List (CRL) over HTTP.

The SEG requires that the client certificate CRLs are reachable over HTTP. By default, Microsoft CAs are configured for accessing the CRL over LDAP and not HTTP. You can configure the CA for accessing CRL over HTTP by installing the AD CS role service Certification Authority Web Enrollment. For more information about manually configuring a CA to access the CRL over HTTP, see the Creating a Certificate Revocation List Distribution Point for Your Internal Certification Authority topic available at Archived MSDN and TechNet Blogs.

The following table lists the configuration keys to enable the certificate revocation validation in SEG:

Configuration Key Description Default Value
enable.cert.revocation.validation Flag to enable the certificate revocation check using the CRL. This flag is used only when the Kerberos authentication or the RequireClientCertificate flag is enabled. False
remote.crl.fetch.interval.in.minutes Interval in minutes for a periodic timer that attempts to update the SEG with the latest CRL data. 1440 (1day)
remote.crl.distribution.http.uris Comma-separated list of HTTP URLs of the CRL Distribution Points (CDP).
fail.hard.on.crl.download.failure.during.server.startup Flag to determine how to handle the failure to fetch CRLs during the SEG startup.

If this flag is set to true and you are unable to fetch the CRL, then the SEG fails to start, else SEG ignores the error and starts.

True
Note: For SEG version 2.17.0 or later, the configuration keys must be configured using the custom gateway settings. For earlier versions of SEG, that is, for SEG versions before 2.17.0, the configuration keys must be configured using the application-override.properties file.