Configure CAPI Settings

Use the CAPI settings to specify the response to be returned by the Validation Extension to CAPI when specific situations occur that prevent it from providing a definitive certificate status. More information about these settings is provided in section CAPI Plugin Configuration.

You should select CAPI settings that comply with your organization’s security policies. For example, you might select Revoked for all of the situations covered by the CAPI settings if your security policies require a definitive OCSP response for each validation request. By default, No Revocation Check is set for all of the CAPI settings, except for when no response is returned and when verification otherwise fails, which are set to Revoked.

To configure CAPI settings, complete the following steps:

  1. Click Configure CAPI Settings. The Configure CAPI Settings dialog displays.

  2. Use the drop-down lists to select the status returned to CAPI for the specific situation that can result in an OCSP Unknown response.

    The return type Good indicates to CAPI that the certificate is valid and no further validation is required. The return type Revoked indicates to CAPI that the certificate is not valid and cannot be accepted. The return type No Revocation Check indicates to CAPI that it should attempt to validate the certificate using any other methods it has available. The return type Server Offline indicates to CAPI that it should not make any further attempts to validate the certificate.

    The following table summarizes the CAPI settings that you can configure:

    Issues CAPI settings
    When the certificate issuer is unknown Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension cannot find the certificate belonging to the issuer of the certificate being validated.
    When nonce is missing or does not match Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension receives a response that includes either no nonce when one was expected or a mismatched nonce.
    When the certificate is self-signed Specifies the response type that the Validation Extension returns to CAPI when attempting to validate a self-signed certificate, which cannot be revoked.
    When a responder cannot be found Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension is unable to identify a responder to query.
    When the network connection fails Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension does not receive a response because of a network failure, including proxy errors.
    When no response is returned Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension does not receive a properly formatted OCSP response.
    When the response is unsuccessful Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension receives a response with a status other than “successful,” indicating that the responder could not or would not process the request.
    When the response is not trusted Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension receives a response that is signed by a certificate that cannot be trusted.
    When the response has no relevant status Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension receives a response that does not contain the revocation status of the requested certificate.
    When the response time is invalid Specifies the response type that the Validation Extension returns to CAPI when the Validation Extension receives a response that has a thisUpdate time that is in the future or a nextUpdate time in the past.
    When the validation service is unavailable Specifies the response type that the Validation Extension returns to CAPI when the CAPI Plug-In cannot communicate with the Validation Extension service.
    When verification otherwise fails Specifies the response type that the Validation Extension returns to CAPI when an internal error prevents the Validation Extension from obtaining a definitive response.

  3. Click OK to save the changes.

Reverting to the Default CAPI Settings

To revert to the default CAPI settings, complete the following steps:

  1. Click Reset to Defaults.

  2. Click OK to revert to the default CAPI settings. Click Cancel to keep the changed CAPI settings.