Configure System Settings - MiniCRL Trust
This applies to Validation Authority deployments with miniCRL (uncommon). For more details, refer Using MiniCRLs.
A MiniCRL is signed by the Validation Authority that produced it, rather than the Certificate Authority that issued the CRL or certificates that was used to generate the MiniCRL. To accept a MiniCRL, the Tactical Validation Authority must be configured to trust the digital signature on the MiniCRL. This can be done in either of the following ways:
-
Delegate trust by specifying a Validation Authority signing certificate in the CRL Signing Certificate field on the Details for Certificate Issuer page.
-
Specify a global Validation Authority signing certificate on the Trusted MiniCRL Signer page, as described below. This signing certificate will be trusted as a CRL signer for all certificate issuers.
Add a New Trusted miniCRL Signer
-
On the Configuration page, click miniCRL trust.
-
To specify a global Validation Authority signing certificate on the Trusted MiniCRL Signer page, click trusted MiniCRL signer.
The page shows the certificate subject and issuer when a Trusted MiniCRL Signer is already configured.
-
To add a new trusted MiniCRL signer or replace the existing signer, click Browse to select a new signer.
-
Click Set Trusted MiniCRL Signer. The Validation Authority Management Console reloads the Trusted MiniCRL Signer page with a message indicating whether the trusted MiniCRL signing certificate was successfully set or if an error occurred.
To delete the trusted MiniCRL signer, click Delete. The Validation Authority Management Console reloads the Trusted MiniCRL Signer page with a message indicating that the trusted MiniCRL signing certificate was successfully removed.
Audit Log Messages
The following audit log messages are recorded whenever a change is made to the trusted MiniCRL signer:
TRUSTED-SIGNER-SET:
| Action | TRUSTED-SIGNER-SET |
|---|---|
| Description | Logged when a new trusted MiniCRL signer is set |
| Example Cause | Click the trusted MiniCRL signer link, then click trusted MiniCRL signer, complete the Trusted MiniCRL Signer form (by browsing the file system for the trusted MiniCRL signer certificate), and click the Set Trusted MiniCRL Signer button. |
| Results and Messages | SUCCESS: [DN of ID credential issuer] |
TRUSTED-SIGNER-DELETE:
| Action | TRUSTED-SIGNER-DELETE |
|---|---|
| Description | Logged when a trusted MiniCRL signer is removed |
| Example Cause | Click the trusted MiniCRL signer link and click the Delete button. |
| Results and Messages | SUCCESS: None |
