Configure the certificate authority (CA) for the Certificate Revocation List (CRL) over HTTP.
The SEG requires that the client certificate CRLs are reachable over HTTP. By default, Microsoft CAs are configured for accessing the CRL over LDAP and not HTTP. You can configure the CA for accessing CRL over HTTP by installing the AD CS role service Certification Authority Web Enrollment. For more information about manually configuring a CA to access the CRL over HTTP, see the Creating a Certificate Revocation List Distribution Point for Your Internal Certification Authority topic available at Archived MSDN and TechNet Blogs.
The following table lists the configuration keys to enable the certificate revocation validation in SEG:
|Configuration Key||Description||Default Value|
|enable.cert.revocation.validation||Flag to enable the certificate revocation check using the CRL. This flag is used only when the Kerberos authentication or the RequireClientCertificate flag is enabled.||False|
|remote.crl.fetch.interval.in.minutes||Interval in minutes for a periodic timer that attempts to update the SEG with the latest CRL data.||1440 (1day)|
|remote.crl.distribution.http.uris||Comma-separated list of HTTP URLs of the CRL Distribution Points (CDP).|
|fail.hard.on.crl.download.failure.during.server.startup||Flag to determine how to handle the failure to fetch CRLs during the SEG startup.
If this flag is set to true and you are unable to fetch the CRL, then the SEG fails to start, else SEG ignores the error and starts.