Configure Certificate Revocation Checking

When you use digital certificates to authenticate hosts, you can ensure that those certificates are valid by configuring certificate revocation checking. This feature checks the certificate revocation lists (CRLs) specified by the CRL Distribution Point (CDP) field of the certificate to determine whether the certificate has been revoked.

In EXTRA!, you can enable CRL checking for all sessions that use Secure Shell certificates and for 3270 sessions that use Attachmate SSL/TLS security settings.

To enable CRL checking for a Secure Shell session

  1. With a session file open, choose Options > Settings.
  2. On the left, select Connection.
  3. On the General tab, click the Advanced button.
  4. In the Reflection Secure Shell Settings dialog box, click the PKI tab.
  5. Select either Use OCSP or Use CRL.

    Note: If CRL checking is enabled in Internet Explorer (via the Check for server certificate revocation* option), Use CRL will be selected by default in all EXTRA! SSH sessions.

Your settings are saved to an SSH configuration scheme. CRL checking will be applied in all sessions that use this SSH configuration scheme.

To enable CRL checking for an SSL/TLS session (3270 only)

  1. With a session file open, choose Options > Settings.
  2. On the left, select Connection.
  3. On the General tab, click the Add button.
  4. In the Configure Connection dialog box, make sure that Security Type is set to Attachmate SSL v3.0, Attachmate TLS v1.2 or Attachmate TLS v1.0.
  5. Under Server Authentication, select one or both of the following:
    • Use Certificate Revocation List
    • Use Online Certificate Status Protocol

      Note: Unlike SSH sessions, this CRL setting is independent of the Internet Explorer CRL option Check for server certificate revocation*.