User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerconnect W-ClearPass Hardware Appliances

101

102

103

104

105

106

107

108

109

110

102 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Field Description

Name Short name that identifies the certificate clearly. Certificate authority names can include

spaces.

Description Briefly describes the CA. This description is shown in the Certificate Authorities list.

Mode Either Root, Intermediate, or Imported. The certificate's mode cannot be edited after

creation.

In the Certificate Issuing area:

Authority

Info Access

Specify one of the following options to control automatic certificate revocation checks:

l Do not include OCSP responder URL – The Authority Info Access extension is not

included in the client certificate. Certificate revocation checking must be configured

manually on the authentication server. This is the default option.

l Include OCSP responder URL – The Authority Info Access extension is added to the

client certificates, with the OCSP responder URL set to a predetermined value. This value

is displayed as the “OCSP URL”.

l Specify an OCSP responder URL – The Authority Info Access extension is added to the

client certificates, with the OCSP responder URL set to a value defined by the

administrator. This value may be specified in the “OCSP URL” field.

Validity

Period

Specifies the maximum length of time for which a client certificate issued during device

provisioning will remain valid.

Clock Skew

Allowance

Adds a small amount of time to the start and end of the client certificate’s validity period. This

permits a newly issued certificate to be recognized as valid in a network where not all devices

are perfectly synchronized.

For example, if the current time is 12:00, and the clock skew allowance is set to the default

value of 15 minutes, then the client certificate will be issued with a “not valid before” time of

11:45. In this case, if the authentication server that receives the client certificate has a time of

11:58, it will still recognize the certificate as valid. If the clock skew allowance was set to 0

minutes, then the authentication server would not recognize the certificate as valid until its

clock has reached 12:00.

The default of 15 minutes is reasonable. If you expect that all devices on the network will be

synchronized then the value may be reduced. A setting of 0 minutes is not recommended as

this does not permit any variance in clocks between devices.

When issuing a certificate, the certificate’s validity period is determined as follows:

l The “not valid before” time is set to the current time, less the clock skew allowance.

l The “not valid after” time is first calculated as the earliest of the following:

n The current time, plus the maximum validity period.

n The expiration time of the user account for whom the device certificate is being issued.

l The “not valid after” time is then increased by the clock skew allowance.