Administrator Guide
In the Certificate Issuing area:
Figure 70 The Certificate Authority Settings Form, Certificate Issuing Area
Authority
Info Access
Specify one of the following options to control automatic certificate revocation checks:
l Do not include OCSP responder URL – The Authority Info Access extension is not
included in the client certificate. Certificate revocation checking must be configured
manually on the authentication server. This is the default option.
l Include OCSP responder URL – The Authority Info Access extension is added to the
client certificates, with the OCSP responder URL set to a predetermined value. This value
is displayed as the “OCSP URL”.
l Specify an OCSP responder URL – The Authority Info Access extension is added to the
client certificates, with the OCSP responder URL set to a value defined by the
administrator. This value may be specified in the “OCSP URL” field.
Validity
Period
Specifies the maximum length of time for which a client certificate issued during device
provisioning will remain valid.
Clock Skew
Allowance
Adds a small amount of time to the start and end of the client certificate’s validity period. This
permits a newly issued certificate to be recognized as valid in a network where not all devices
are perfectly synchronized.
For example, if the current time is 12:00, and the clock skew allowance is set to the default
value of 15 minutes, then the client certificate will be issued with a “not valid before” time of
11:45. In this case, if the authentication server that receives the client certificate has a time of
11:58, it will still recognize the certificate as valid. If the clock skew allowance was set to 0
minutes, then the authentication server would not recognize the certificate as valid until its
clock has reached 12:00.
The default of 15 minutes is reasonable. If you expect that all devices on the network will be
synchronized then the value may be reduced. A setting of 0 minutes is not recommended as
this does not permit any variance in clocks between devices.
When issuing a certificate, the certificate’s validity period is determined as follows:
l The “not valid before” time is set to the current time, less the clock skew allowance.
l The “not valid after” time is first calculated as the earliest of the following:
n The current time, plus the maximum validity period.
n The expiration time of the user account for whom the device certificate is being issued.
l The “not valid after” time is then increased by the clock skew allowance.
Dell Networking W-ClearPass Guest 6.6 | User Guide Onboard | 123