You can configure certificate revocation checking to prevent users who have their user certificates revoked from authenticating. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.
Certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP) is supported. A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of a certificate.
You can configure both CRL and OCSP in the same certificate authentication adapter configuration. When you configure both types of certificate revocation checking and the Use CRL in case of OCSP failure check box is enabled, OCSP is checked first and if OCSP fails, revocation checking falls back to CRL. Revocation checking does not fall back to OCSP if CRL fails.
Logging in with CRL Checking
When you enable certificate revocation, the Workspace ONE Access connector server reads a CRL to determine the revocation status of a user certificate.
If a certificate is revoked, authentication through the certificate fails.
Logging in with OCSP Certificate Checking
The Online Certificate Status Protocol (OCSP) is an alternative to certificate revocation lists (CRL) that is used to perform a certificate revocation check.
When you configure certificate-based authentication, when Enable Cert Revocation and Enable OCSP Revocation are both enabled, Workspace ONE Access validates the entire certificate chain, including the primary, intermediate and root certificates. The revocation check fails if the check of any certificate in the chain fails or the call to the OCSP URL fails.
The OCSP URL can either be configured manually in the text box or extracted from the Authority Information Access (AIA) extension of the certificate that is being validated.
The OCSP option that you select when you configure certificate authentication determines how Workspace ONE Access uses the OCSP URL.
- Configuration Only. Perform certificate revocation check using the OCSP URL provided in the text box to validate the entire certificate chain. Ignore the information in the certificate's AIA extension. The OCSP URL text box must also be configured with the OCSP server address for revocation checking.
- Certificate Only (required). Perform certificate revocation check using the OCSP URL that exists in the AIA extension of each certificate in the chain. The setting in the OCSP URL text box is ignored. Every certificate in the chain must have an OCSP URL defined, otherwise the certificate revocation check fails.
- Certificate Only (Optional). Only perform certificate revocation check using the OCSP URL that exists in the AIA extension of the certificate. Do not check revocation if the OCSP URL does not exist in the certificate AIA extension. The setting in the OCSP URL text box is ignored. This configuration is useful when revocation check is desired, but some intermediate or root certificates do not contain the OCSP URL in the AIA extension.
- Certificate with fallback to configuration. Perform certificate revocation check using the OCSP URL extracted from the AIA extension of each certificate in the chain, when the OCSP URL is available. If the OCSP URL is not in the AIA extension, check revocation using the OCSP URL configured in the OCSP URL text box. The OCSP URL text box must be configured with the OCSP server address.