1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
|
<?xml version="1.0" encoding="UTF-8"?>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
%brandDTD;
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Validation Settings</title>
<link rel="stylesheet" href="helpFileLayout.css"
type="text/css"/>
</head>
<body>
<h1 id="validation_settings">Validation Settings</h1>
<p>This section describes how to set Validation preferences and how to control
Certificate Revocation List (CRL) settings.</p>
<p>For step-by-step descriptions of various tasks related to validation and
CRLs, see <a href="using_certs_help.xhtml#controlling_validation">How
Certificate Validation Works</a>.</p>
<div class="contentsBox">In this section:
<ul>
<li><a href="#privacy_and_security_preferences_validation">Privacy &
Security Preferences - Validation</a></li>
<li><a href="#manage_crls">Manage CRLs</a></li>
<li><a href="#crl_import_status">CRL Import Status</a></li>
<li><a href="#automatic_crl_update_preferences">Automatic CRL Update
Preferences</a></li>
</ul>
</div>
<h2 id="privacy_and_security_preferences_validation">Privacy & Security
Preferences - Validation</h2>
<p>This section describes how to use the Validation Settings panel. If you are
not already viewing the panel, follow these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy & Security category, click Validation. (If no
subcategories are visible, double-click Privacy & Security to expand
the list.)</li>
</ol>
<p>For background information on certificate validation, see
<a href="using_certs_help.xhtml#controlling_validation">How Certificate
Validation Works</a>.</p>
<h3 id="crl">CRL</h3>
<p>A certificate revocation list (CRL) is a list of revoked certificates that
is generated and signed by a
<a href="glossary.xhtml#certificate_authority">certificate authority
(CA)</a>. It's possible to download a CRL to your browser, which can
check it to ensure that certificates are still valid before permitting their
use for authentication.</p>
<p>Click Manage CRLs to see a list of the CRLs available to Certificate
Manager.</p>
<p>For more information about managing CRLs, see
<a href="using_certs_help.xhtml#managing_crls">Managing CRLs</a>.</p>
<h3 id="ocsp">OCSP</h3>
<p>The Online Certificate Status Protocol (OCSP) makes it possible for
Certificate Manager to perform an online check of a certificate's
validity each time the certificate is viewed or used. This process involves
checking the certificate against a certificate revocation list (CRL)
maintained at a specified server. Your computer must be online for OCSP to
work.</p>
<p>To specify how Certificate Manager uses OCSP, choose one of these settings
in the OCSP section of Validation Settings:</p>
<ul>
<li><strong>Use the Online Certificate Status Protocol (OCSP) to confirm the
current validity of certificates</strong>: Select this setting if you want
Certificate Manager to perform an online status check each time it verifies
a certificate. If this setting is off, Certificate Manager will only
confirm the certificate's validity period and that it is correctly
signed by a CA whose own CA certificate is both listed under the CA
Certificates tab (in the main Certificate Manager window) and marked as
trusted for issuing that kind of certificate.</li>
<li><strong>Validate a certificate if it specifies a OCSP server</strong>:
Select this setting for online validation of certificates that provides a
validation service address (Service URL). Certificate Manager makes sure
that the certificate is listed as valid at the URL and checks validity
period and trust settings.</li>
<li><strong>Validate all certificates using the following OSCP
server</strong>: Select this setting if you want to specify a OCSP server
for the validation of all certificates. If you select this setting, you
should also choose the certificate from the Response Signer pop-up menu
that identifies the signer of the OCSP responses. With this setting, the
only certificates Certificate Manager recognizes are those that can be
verified by an OCSP response signed with the Response Signer certificate
(or signed using a certificate that chains to it).
<p>When you choose a Response Signer certificate from the pop-up menu,
Certificate Manager fills in the Service URL (if available) for that
signer automatically. If the Service URL is not filled in automatically,
you must provide it yourself; ask your system administrator for
details.</p>
</li>
<li><strong>When an OCSP server connection fails, treat the certificate as
invalid</strong>: Select this if you want the validation to fail if a
connection to the OCSP server can't be established.</li>
</ul>
<h2 id="manage_crls">Manage CRLs</h2>
<p>This section describes how to use the Manage CRLs dialog box. To view it,
follow these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy & Security category, click Validation. (If no
subcategories are visible, double-click Privacy & Security to expand
the list.)</li>
<li>Click Manage CRLs.</li>
</ol>
<p>This dialog box displays a list of the
<a href="glossary.xhtml#crl">CRLs</a> that you have
downloaded for use by your browser. Typically, you download a CRL by
clicking a URL. For information about how CRLs work, see
<a href="using_certs_help.xhtml#managing_crls">Managing CRLs</a>.</p>
<p>To select a CRL, click it. You can then perform any of these actions:</p>
<ul>
<li><strong>Delete</strong>: Deletes the CRL permanently from your hard disk.
Don't do this unless you're sure you no longer need the CRL for
validating certificates. If in doubt, consult your system
administrator.</li>
<li><strong>Settings</strong>: Opens the
<a href="#automatic_crl_update_preferences">Automatic CRL Update
Preferences</a> dialog box, which allows you to activate automatic CRL
updates for the selected CRL and specify how frequently they should be
performed.</li>
<li><strong>Update</strong>: Immediately updates the selected CRL
(if possible).</li>
</ul>
<p>The Manage CRLs dialog box provides the following information about each
CRL:</p>
<ul>
<li><strong>Organization (O)</strong>: The name of the organization that
issued the CRL.</li>
<li><strong>Organizational Unit (OU)</strong>: The name of the organizational
unit that issued the CRL (such as the root CA for a particular kind of
certificate).</li>
<li><strong>Last Update</strong>: The date on which the browser's copy
of this CRL was last updated.</li>
<li><strong>Next Update</strong>: The next date on which an updated version
of this CRL will be published by the CRL issuer.</li>
<li><strong>Auto Update</strong>: Indicates whether Auto Update has been
enabled for this CRL. To view the settings that control auto updating,
select the CRL and click Settings.</li>
<li><strong>Auto Update Status</strong>:
<ul>
<li>If Auto Update has not been enabled, or if it has been enabled but
the next scheduled update has not yet occurrred, this field will be
blank.</li>
<li>After at least one auto update has occurred, this field shows
<q>failed</q> if the most recent auto update failed, or
<q>OK</q> if the most recent auto update was successful.</li>
</ul>
</li>
</ul>
<h2 id="crl_import_status">CRL Import Status</h2>
<p>This section describes how to use the CRL Import Status dialog box, which
appears when you first attempt to import a CRL or when you successfully
update it manually.</p>
<p>This dialog box informs you</p>
<ul>
<li>whether your attempt to import or update the CRL was successful</li>
<li>what organization issued the CRL</li>
<li>when the next update of this CRL will be published</li>
<li>whether Automatic Update is enabled for this CRL</li>
</ul>
<p>If Automatic Update is not enabled, you can turn it on from here:</p>
<ul>
<li><strong>Yes</strong>: Click Yes to enable automatic updating of this CRL.
If you click this button, the Automatic CRL Update Preferences dialog box
appears next. The next section describes how to set these preferences.</li>
<li><strong>No</strong>: Click No if you wish to leave Automatic Update
disabled.</li>
</ul>
<h2 id="automatic_crl_update_preferences">Automatic CRL Update Preferences</h2>
<p>This section describes how to use the Automatic CRL Update Preferences
dialog box. If you are not already viewing it, follow these steps:</p>
<ol>
<li>Open the <span class="mac">&brandShortName;</span>
<span class="noMac">Edit</span> menu and choose Preferences.</li>
<li>Under the Privacy & Security category, click Validation. (If no
subcategories are visible, double-click Privacy & Security to expand
the list.)</li>
<li>Click Manage CRLs, then select the CRL whose auto update preferences you
want to view or change.</li>
<li>Click Settings.</li>
</ol>
<p>This dialog box displays the following options and information:</p>
<ul>
<li><strong>Enable Automatic Update for this CRL</strong>: Select this option
if you want the CRL you selected to be updated automatically according to
the schedule you set here. (Note that you can't select this option if
the CRL doesn't specify a Next Update date.)
<p>If you enable Automatic Update, you must select one of these radio
buttons:</p>
<ul>
<li><strong>Update X days before Next Update date</strong>: Select this
option if you want to base the update frequency on the frequency with
which the CRL publisher publishes a new version of the CRL.</li>
<li><strong>Update every X days</strong>: Select this option if you
want to specify an update interval unrelated to the CRL's Next
Update date.</li>
</ul>
</li>
<li><strong>CRL would be imported from</strong>: Indicates the URL from which
the browser originally imported the CRL. This setting cannot be changed. To
specify a different location, delete the CRL and re-import it from the new
location.</li>
<li><strong>Previous Consecutive Update Failures</strong>: Indicates how
many times update attempts for this CRL have failed consecutively,
including the most recent failure:
<ul>
<li>If the most recent attempt was successful, this reads
<q>None</q> even if there were previous unsuccessful
attempts.</li>
<li>If the most recent attempt failed, this indicates the number of
consecutive failures and the error message for the most recent
failure.</li>
</ul>
</li>
</ul>
<p>Click OK to confirm your choices.</p>
</body>
</html>
|
