We tried below options:
1. Thru Manage Certificates / Certificate Validations. In this case we are not seeing any attempt to validate user certs in ssg logs or audit logs. This doesn't seem to work as we do not have use cert in AD / LDAP and do not authenticate using entire cert.
2. Using combination of "Lookup Certificate" & "Validate Certificate" policy assertions. Is our understanding correct in assuming that Lookup Certificate assertion actually loads the user cert against the defined output variable name? This option is giving the below error:
Certificate CN=*****, DC=****, DC=***** validation (REVOCATION) failed with status: CANT_BUILD_PATH
Unable to build path for certificate CN=*****, DC=****, DC=***** : Unable to find valid certification path to requested target.
Any pointers to the right direction would be appreciated.
-arun
Arun,
After reading your post, I want to make sure that an understanding is established around the Look Up Certificate. This assertion will draw a certificate stored in the Manage Certificates menu for trusted certificates. If this is what you are looking to do then lets proceed to review the error. When the gateway is unable to build the certificate path means that the signer of the certificate being reviewed is not added to the Manager Certificates and has the validation option "Certificate is a Trust Anchor" checked.
When you add in CRL or OCSP check, the Certificate Validation of the Manage Certificate menu needs to be configured as it is not enabled by default even though the option on the assertion is set. In addition, the certificate that signed the certificate used for CRL/OCSP signing needs to also be trusted on the gateway in the same way that we did above with the "Certificate is a Trust Anchor" option.
Sincerely,
Stephen Hughes
Director, CA Support