diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
commit | 43a97878ce14b72f0981164f87f2e35e14151312 (patch) | |
tree | 620249daf56c0258faa40cbdcf9cfba06de2a846 /l10n-ro/suite/chrome/common/help/using_certs_help.xhtml | |
parent | Initial commit. (diff) | |
download | firefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip |
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'l10n-ro/suite/chrome/common/help/using_certs_help.xhtml')
-rw-r--r-- | l10n-ro/suite/chrome/common/help/using_certs_help.xhtml | 734 |
1 files changed, 734 insertions, 0 deletions
diff --git a/l10n-ro/suite/chrome/common/help/using_certs_help.xhtml b/l10n-ro/suite/chrome/common/help/using_certs_help.xhtml new file mode 100644 index 0000000000..235349d2a9 --- /dev/null +++ b/l10n-ro/suite/chrome/common/help/using_certs_help.xhtml @@ -0,0 +1,734 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" + "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[ + <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" > + %brandDTD; +]> + +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Using Certificates</title> +<link rel="stylesheet" href="helpFileLayout.css" + type="text/css"/> +</head> +<body> + +<h1 id="using_certificates">Using Certificates</h1> + +<p>A certificate is the digital equivalent of an ID card. Just as you may have + several ID cards for different purposes, such as a driver's license, an + employee ID card, or a credit card, you can have several different + certificates that identify you for different purposes.</p> + +<p>This section describes how to perform operations related to + certificates.</p> + +<div class="contentsBox">In this section: + <ul> + <li><a href="#getting_your_own_certificate">Getting Your Own + Certificate</a></li> + <li><a href="#checking_security_for_a_web_page">Checking Security for a Web + Page</a></li> + <li><a href="#managing_certificates">Managing Certificates</a></li> + <li><a href="#managing_smart_cards_and_other_security_devices">Managing + Smart Cards and Other Security Devices</a></li> + <li><a href="#managing_ssl_warnings_and_settings">Managing SSL Warnings and + Settings</a></li> + <li><a href="#controlling_validation">Controlling Validation</a></li> + </ul> +</div> + +<h1 id="getting_your_own_certificate">Getting Your Own Certificate</h1> + +<p>Much like a credit card or a driver's license, a certificate is a form + of identification you can use to identify yourself over the Internet and + other networks. Like other commonly used personal IDs, a certificate is + typically issued by an organization with recognized authority to issue such + identification. An organization that issues certificates is called a + <strong>certificate authority (CA)</strong>.</p> + +<p>You can obtain certificates that identify you from public CAs, from system + administrators or special CAs within your organization, or from websites + offering specialized services that require a means of identification more + reliable that your name and password.</p> + +<p>Just as the requirements for a driver's license vary depending on the + type of vehicle you want to drive, the requirements for obtaining a + certificate vary depending on what you want to use it for. In some cases + getting a certificate may be as easy as going to a website, entering some + personal information, and automatically downloading the certificate into your + browser. In other cases you may have to go through more complicated + procedures.</p> + +<p>You can obtain a certificate today by visiting the URL for a certificate + authority and following the on-screen instructions. For a list of certificate + authorities issuing certificates recognized by &brandShortName;, see the + online document + <a href="http://www.mozilla.org/projects/security/certs/included/">Included + Certificate List</a>.</p> + +<p>Once you obtain a certificate, it is automatically stored in a + <a href="glossary.xhtml#security_device">security device</a>. Your browser + comes with its own built-in Software Security Device. A security device can + also be a piece of hardware, such as a smart card.</p> + +<p>Like a driver's license or a credit card, a certificate is a valuable + form of identification that can be abused if it falls into the wrong hands. + Once you've obtained a certificate that identifies you, you should + protect it in two ways: by backing it up and by setting your + <a href="glossary.xhtml#master_password">master password</a>.</p> + +<p>When you first obtain a certificate, you may be prompted to back it up. If + you haven't yet created a master password, you will be asked to create + one.</p> + +<p>For detailed information about backing up a certificate and setting your + master password, see <a href="certs_help.xhtml#your_certificates">Your + Certificates</a>.</p> + +<p>[<a href="#using_certificates">Return to beginning of section</a>]</p> + +<h1 id="checking_security_for_a_web_page">Checking Security for a Web Page</h1> + +<p>When you're viewing any web page, the lock icon near the lower-right + corner of the window informs you whether the entire contents of the page was + protected by <a href="glossary.xhtml#encryption">encryption</a> while it was + being received by your computer:</p> + +<table summary="lock icons"> + <tr> + <td><img alt="closed lock icon" + src="chrome://communicator/skin/icons/lock-secure.png"/></td> + <td>A closed lock means that the page was protected by encryption when it + was received.</td> + </tr> + <tr> + <td><img alt="open lock icon" + src="chrome://communicator/skin/icons/lock-insecure.png"/></td> + <td>An open lock means the page was not protected by encryption when it was + received.</td> + </tr> + <tr> + <td><img alt="broken lock icon" + src="chrome://communicator/skin/icons/lock-broken.png"/></td> + <td>A broken lock means that some or all of the elements within the page + were not protected by encryption when the page was received, even though + the outermost HTML page was encrypted.</td> + </tr> +</table> + +<p>For more details about the encryption status of the page when it was + received, click the lock icon (or open the View menu, choose Page Info, and + click the Security tab).</p> + +<p>The Security tab for Page Info provides two kinds of information:</p> + +<ul> + <li>The top half describes whether the website displaying the page has been + verified. (For information on certificate verification, see + <a href="#controlling_validation">Controlling Validation</a>.)</li> + <li>The bottom half describes whether the contents of the page you are + viewing is protected by encryption while in transit over the network.</li> +</ul> + +<p><strong>Important</strong>: The lock icon describes only the encryption + status of the page while it was being received by your computer. To be + notified before you send or receive information without encryption, select + the appropriate SSL warning options. See <a href="ssl_help.xhtml">Privacy + & Security Preferences - SSL</a> for details.</p> + +<p>[<a href="#using_certificates">Return to beginning of section</a>]</p> + +<h1 id="managing_certificates">Managing Certificates</h1> + +<p>You can use the Certificate Manager to manage the certificates you have + available. Certificates may be stored on your computer's hard disk or on + <a href="glossary.xhtml#smart_card">smart cards</a> or other security devices + attached to your computer.</p> + +<p>To open the Certificate Manager:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> + <li>In the Manage Certificates section, click Manage Certificates. You see + the Certificate Manager.</li> +</ol> + +<div class="contentsBox">In this section: + <ul> + <li><a href="#managing_certificates_that_identify_you">Managing + Certificates that Identify You</a></li> + <li><a href="#managing_certificates_that_identify_people">Managing + Certificates that Identify People</a></li> + <li><a href="#managing_certificates_that_identify_servers">Managing + Certificates that Identify Servers</a></li> + <li><a href="#managing_certificates_that_identify_certificate_authorities">Managing + Certificates that Identify Certificate Authorities</a></li> + <li><a href="#managing_certificates_that_identify_others">Managing + Certificates that Identify Others</a></li> + </ul> +</div> + +<h2 id="managing_certificates_that_identify_you">Managing Certificates that + Identify You</h2> + +<p>When you first open the Certificate Manager, you'll notice that it has + several tabs across the top of its window. The first tab is called Your + Certificates, and it displays the certificates your browser or mail client + has available that identify you. Your certificates are listed under the names + of the organizations that issued them.</p> + +<p>To perform an action on one or more certificates, click the entry for the + certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.</p> + +<p>For more details on how to view and manage these certificates, see + <a href="certs_help.xhtml#your_certificates">Your Certificates</a>.</p> + +<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p> + +<h2 id="managing_certificates_that_identify_people">Managing Certificates that + Identify People</h2> + +<p>When you compose a mail message, you can choose to attach your digital + signature to it. A <a href="glossary.xhtml#digital_signature">digital + signature</a> allows recipients of the message to verify that the message + really comes from you and hasn't been tampered with since you sent + it.</p> + +<p>Every time you send a digitally signed message, your encryption certificate + is automatically included with the message. This certificate allows the + message recipients to send you encrypted messages.</p> + +<p>One of the easiest ways to obtain someone else's encryption certificate + is for that person to send you a digitally signed message. Certificate + Manager automatically stores other people's certificates whenever they + are received in this way.</p> + +<p>To view all the certificates identifying other people that are available to + the Certificate Manager, click the People tab at the top of the + Certificate Manager window. You can send encrypted messages to anyone for + whom a valid certificate is listed. Certificates are listed under the names + of the organizations that issued them.</p> + +<p>To perform an action on one or more certificates, click the entry for the + certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.</p> + +<p>For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + <a href="certs_help.xhtml#people">People</a> tab.</p> + +<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p> + +<h2 id="managing_certificates_that_identify_servers">Managing Certificates + that Identify Servers</h2> + +<p>Some websites and mail servers use certificates to identify themselves. + Such identification is required before the server can encrypt information + transferred between it and your computer (or vice versa), so that no one + can read the data while in transit.</p> + +<p>If the URL for a website begins with <tt>https://</tt>, the website has a + certificate. If you visit such a website and its certificate was issued by a + CA that the Certificate Manager doesn't know about or doesn't + trust, you will be asked whether you want to accept the website's + certificate. When you accept a new website certificate, the Certificate + Manager adds it to its list of website certificates.</p> + +<p>To view all the website certificates available to your browser, click the + Servers tab at the top of the Certificate Manager window.</p> + +<p>To perform an action on one or more certificates, click the entry for the + certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.</p> + +<p>For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + <a href="certs_help.xhtml#servers">Servers</a> tab.</p> + +<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p> + +<h2 id="managing_certificates_that_identify_certificate_authorities">Managing + Certificates that Identify Certificate Authorities</h2> + +<p>Like other commonly used forms of ID, a certificate is issued by an + organization with recognized authority to issue such identification. An + organization that issues certificates is called a + <a href="glossary.xhtml#certificate_authority">certificate authority + (CA)</a>. A certificate that identifies a CA is called a CA certificate.</p> + +<p>Certificate Manager typically has many CA certificates on file. These CA + certificates permit Certificate Manager to recognize and work with + certificates issued by the corresponding CAs. However, the presence of a CA + certificate in this list does <em>not</em> guarantee that the certificates it + issues can be trusted. You or your system administrator must make decisions + about what kinds of certificates to trust depending on your security + needs.</p> + +<p>To view all the CA certificates available to your browser, click the + Authorities tab at the top of the Certificate Manager window.</p> + +<p>To perform an action on one or more CA certificates, click the entry for the + certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.</p> + +<p>For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + <a href="certs_help.xhtml#authorities">Authorities</a> tab.</p> + +<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p> + +<h2 id="managing_certificates_that_identify_others">Managing Certificates that + Identify Others</h2> + +<p>To see all certificates that do not fit into any of the other categories, + click the Others tab at the top of the Certificate Manager window.</p> + +<p>For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + <a href="certs_help.xhtml#others">Others</a> tab.</p> + +<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p> + +<h1 id="managing_smart_cards_and_other_security_devices">Managing Smart Cards + and Other Security Devices</h1> + +<p>A smart card is a small device, typically about the size of a credit card, + that contains a microprocessor and is capable of storing information about + your identity (such as your <a href="glossary.xhtml#private_key">private + keys</a> and <a href="glossary.xhtml#certificate">certificates</a>) and + performing cryptographic operations.</p> + +<p>To use a smart card, you typically need to have a smart card reader (a piece + of hardware) attached to your computer, as well as software on your computer + that controls the reader.</p> + +<p>A smart card is just one kind of security device. A security device + (sometimes called a token) is a hardware or software device that provides + cryptographic services and stores information about your identity. Use the + Device Manager to work with smart cards and other security devices.</p> + +<div class="contentsBox">In this section: + <ul> + <li><a href="#about_security_devices_and_modules">About Security Devices + and Modules</a></li> + <li><a href="#using_security_devices">Using Security Devices</a></li> + <li><a href="#using_security_modules">Using Security Modules</a></li> + <li><a href="#enable_fips_mode">Enable FIPS Mode</a></li> + </ul> +</div> + +<h2 id="about_security_devices_and_modules">About Security Devices and + Modules</h2> + +<p>The Device Manager displays a window that lists the available security + devices. You can use the Device Manager to manage any security devices, + including smart cards, that support the Public Key Cryptography Standard + (PKCS) #11.</p> + +<p>A <a href="glossary.xhtml#pkcs_11_module">PKCS #11 module</a> (sometimes + called a security module) controls one or more security devices in much the + same way that a software driver controls an external device such as a printer + or modem. If you are installing a smart card, you must install the PKCS #11 + module for the smart card on your computer as well as connecting the smart + card reader.</p> + +<p>By default, the Device Manager controls two internal PKCS #11 modules that + manage three security devices:</p> + +<ul> + <li><strong>&brandShortName; Internal PKCS #11 Module</strong>: Controls two + security devices: + <ul> + <li><strong>Generic Crypto Services</strong>: A special security device + that performs all cryptographic operations required by the + &brandShortName; Internal PKCS #11 Module.</li> + <li><strong>Software Security Device</strong>: Stores your certificates + and keys that aren't stored on external security devices, + including any CA certificates that you may have installed in addition + to those that come with the browser.</li> + </ul> + </li> + <li><strong>Builtin Roots Module</strong>: Controls a special security device + called the Builtin Object Token. This security device stores the default + <a href="glossary.xhtml#ca_certificate">CA certificates</a> that come with + the browser.</li> +</ul> + +<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to + beginning of section</a>]</p> + +<h2 id="using_security_devices">Using Security Devices</h2> + +<p>The Device Manager allows you to perform operations on security devices. To + open the Device Manager, follow these steps:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> + <li>In the Certificates panel, click Manage Security Devices.</li> +</ol> + +<p>The Device Manager lists each available PKCS #11 module in boldface, and the + security devices managed by each module below its name.</p> + +<p>When you select a security device, information about it appears in the + middle of the Device Manager window, and some of the buttons on the right + side of the window become available. For example, if you select the Software + Security Device, you can perform these actions:</p> + +<ul> + <li>Click Login or Logout to log in or out of the Software Security Device. + If you are logging in, you will be asked to supply the master password for + the device. You must be logged into a security device before your browser + software can use it to provide cryptographic services.</li> + <li>Click Change Password to change the master password for the device.</li> +</ul> + +<p>You can perform these actions on most security devices. However, you cannot + perform them on the Builtin Object Token or Generic Crypto Services, which + are special devices that must normally be available at all times.</p> + +<p>For more details, see <a href="certs_help.xhtml#device_manager">Device + Manager</a>.</p> + +<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to + beginning of section</a>]</p> + +<h2 id="using_security_modules">Using Security Modules</h2> + +<p>If you want to use a smart card or other external security device, you must + first install the module software on your computer and, if necessary, connect + any associated hardware. Follow the instructions that come with the + hardware.</p> + +<p>After a new module is installed on your computer, follow these steps to load + it:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> + <li>In the Certificates panel, click Manage Security Devices.</li> + <li>Click Load.</li> + <li>In the Load PKCS #11 Module dialog box, click the Browse button, locate + the module file, and click Open.</li> + <li>Fill in the Module Name field with the name of the module and click + OK.</li> +</ol> + +<p>The new module will then show up in the list of modules with the name you + assigned to it.</p> + +<p>To unload a PKCS #11 module, select its name and click Unload.</p> + +<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to + beginning of section</a>]</p> + +<h2 id="enable_fips_mode">Enable FIPS Mode</h2> + +<p>Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a + US government standard for implementations of cryptographic + modules—that is, hardware or software that encrypts and decrypts data + or performs other cryptographic operations (such as creating or verifying + digital signatures). Many products sold to the US government must comply with + one or more of the FIPS standards.</p> + +<p>To enable FIPS mode for the browser, you use the Device Manager:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> + <li>In the Certificates panel, click Manage Devices.</li> + <li>Click the Enable FIPS button. When FIPS is enabled, the name NSS Internal + PKCS #11 Module changes to NSS Internal FIPS PKCS #11 Module and the Enable + FIPS button changes to Disable FIPS.</li> +</ol> + +<p>To disable FIPS-mode, click Disable FIPS.</p> + +<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to + beginning of section</a>]</p> + +<h1 id="managing_ssl_warnings_and_settings">Managing SSL Warnings and + Settings</h1> + +<p>The Secure Sockets Layer (SSL) protocol allows your computer to exchange + information with other computers on the Internet in encrypted form—that + is, the information is scrambled while in transit so that no one else can + make sense of it. SSL is also used to identify computers on the Internet by + means of <a href="glossary.xhtml#certificate">certificates</a>.</p> + +<p>The Transport Layer Security (TLS) protocol is a new standard based on SSL. + By default, the browser supports both SSL and TLS. This approach works for + most people, because it guarantees that the browser will work with virtually + all other existing software on the Internet that supports any version of SSL + or TLS.</p> + +<p>However, in some circumstances system administrators or other knowledgeable + persons may wish to adjust the SSL settings to fine-tune them for special + security needs or to account for bugs in some older software products.</p> + +<p>You shouldn't adjust the SSL settings for your browser unless you know + what you're doing or have the assistance of someone else who does. If + you do need to adjust them for some reason, follow these steps:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, select SSL. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> +</ol> + +<p>For more details, see <a href="ssl_help.xhtml">SSL Settings</a>.</p> + +<p>[<a href="#using_certificates">Return to beginning of section</a>]</p> + +<h1 id="controlling_validation">Controlling Validation</h1> + +<p>As discussed above under <a href="#getting_your_own_certificate">Get Your + Own Certificate</a>, a certificate is a form of identification, much like a + driver's license, that you can use to identify yourself over the + Internet and other networks. However, also like a driver's license, a + certificate may expire or become invalid for some other reason. Therefore, + your browser software needs to confirm the validity of any given certificate + in some way before trusting it for identification purposes.</p> + +<p>This section describes how Certificate Manager validates certificates and + how to control that process. To understand the process, you should have some + familiarity with <a href="glossary.xhtml#public-key_cryptography">public-key + cryptography</a>. If you are not familiar with the use of certificates, you + should check with your system administrator before attempting to change any + of your browser's certificate validation settings.</p> + +<div class="contentsBox">In this section: + <ul> + <li><a href="#how_validation_works">How Validation Works</a></li> + <li><a href="#managing_crls">Managing CRLs</a></li> + <li><a href="#configuring_ocsp">Configuring OCSP</a></li> + <li><a href="validation_help.xhtml">Validation Settings</a></li> + </ul> +</div> + +<h2 id="how_validation_works">How Validation Works</h2> + +<p>Whenever you use or view a certificate stored by Certificate Manager, it + takes several steps to verify the certificate. At a minimum, it confirms that + the CA's digital signature on the certificate was created by a CA whose + own certificate is (1) present in the Certificate Manager's list of + available CA certificates and (2) marked as trusted for issuing the kind of + certificate being verified.</p> + +<p>If the CA certificate is not itself present, the + <a href="glossary.xhtml#certificate_chain">certificate chain</a> for the CA + certificate must include a higher-level CA certificate that is present and + correctly trusted. Certificate Manager also confirms that the certificate + being verified is currently marked as trusted in the certificate store. If + any one of these checks fails, Certificate Manager marks the certificate as + unverified and won't recognize the identity it certifies.</p> + +<p>A certificate can pass all these tests and still be compromised in some way; + for example, the certificate may be revoked because an unauthorized person + has gained access to the certificate's private key. A compromised + certificate can allow an unauthorized person (or website) to pretend to be + the certificate owner.</p> + +<p>One way to combat this threat is for Certificate Manager to check a + certificate revocation list (CRL) as part of the verification process (see + <a href="#managing_crls">Managing CRLs</a>, below). Typically, you download a + CRL to your browser by clicking a link. If a CRL is present, Certificate + Manager checks any certificate issued by the same CA against the list as part + of the verification process.</p> + +<p>The reliability of CRLs depends on the frequency with which they are both + updated by a server and checked by a client. You can configure your + <a href="validation_help.xhtml#automatic_crl_update_preferences">Automatic + CRL Update Preferences</a> so that a CRL will be updated automatically at + regular intervals with the version currently on the server.</p> + +<p>Another way to combat the threat of compromised certificates is to use a + special server that supports the Online Certificate Status Protocol (OCSP). + Such a server can answer client queries about individual certificates (see + <a href="#configuring_ocsp">Configuring OCSP</a>, below).</p> + +<p>The server, called an OCSP responder, receives an updated CRL periodically + from the CA that issues the certificates to be verified. You can configure + Certificate Manager to submit a status request for a certificate to the OCSP + responder, and the OCSP responder confirms whether the certificate is + valid.</p> + +<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p> + +<h2 id="managing_crls">Managing CRLs</h2> + +<p>A certificate revocation list (CRL) is a list of revoked certificates. A + <a href="glossary.xhtml#certificate_authority">certificate authority (CA)</a> + might revoke a certificate, for example, if it has been compromised in some + way—much the way a credit card company might revoke your credit card if + you report that it's been stolen.</p> + +<p>This section describes how to import and manage CRLs.</p> + +<p>For background information, see + <a href="#how_validation_works">How Validation Works</a>.</p> + +<p>For detailed descriptions of CRL settings that you can control, see + <a href="validation_help.xhtml">Validation Settings</a>.</p> + +<div class="contentsBox">In this section: + <ul> + <li><a href="#about_the_next_update_date">About the <q>Next Update</q> + Date</a></li> + <li><a href="#importing_crls">Importing CRLs</a></li> + <li><a href="#viewing_and_managing_crls">Viewing and Managing CRLs</a></li> + </ul> +</div> + +<h3 id="about_the_next_update_date">About the <q>Next Update</q> Date</h3> + +<p>The browser uses the CRLs it has available to check the validity of + certificates issued by the corresponding CAs. If a certificate is listed as + revoked, the browser won't accept it as evidence of identity.</p> + +<p>A CA typically publishes an updated CRL at regular intervals. Every CRL + includes a date, specified in the Next Update field, by which the CA will + publish the next update of that CRL. In general, if the date in the Next + Update field is earlier than the current date, you should obtain the most + recent version of the CRL. To view CRL information and set up automatic CRL + updating, see <a href="#viewing_and_managing_crls">Viewing and Managing + CRLs</a>.</p> + +<p>CAs are required to produce a new CRL by the Next Update date. However, the + absence of the most recent CRL does not by itself invalidate a certificate. + For this reason, if the most recent CRL is not available, a certificate may + be validated even though the most recent CRL shows it as expired. Automatic + CRL updating can help to avoid this situation.</p> + +<h3 id="importing_crls">Importing CRLs</h3> + +<p>You can import the latest CRL from a CA into your browser. To import a CRL, + follow these steps:</p> + +<ol> + <li>Go to the URL specified by the CA or by your system administrator and + click the link for the CRL that you want to import. + + <p>The Import Status dialog box appears.</p> + </li> + <li>Confirm that the CRL was imported successfully and that it's the one + you wanted. In most cases you should also click Yes, which enables + automatic updating of the CRL you just imported.</li> + <li>The next step depends on whether you click Yes or No in the Import Status + dialog box: + <ul> + <li><strong>Yes</strong>: The Automatic CRL Update Preferences dialog box + appears. In this case, go on to step 4.</li> + <li><strong>No</strong>: The Import Status dialog box closes. If you + change your mind and decide to enable automatic updates after all, see + <a href="#viewing_and_managing_crls">Viewing and Managing + CRLs</a>.</li> + </ul> + </li> + <li>Select the option labeled <q>Enable Automatic Update for this + CRL</q>.</li> + <li>Decide how you want to schedule the automatic updates: + <ul> + <li><strong>Update [__] days before Next Update date</strong>: Select + this option if you want to base the update frequency on the frequency + with which the CRL publisher publishes a new version of the CRL.</li> + <li><strong>Update every [__] days</strong>: Select this option if you + want to specify an update interval unrelated to the CRL's Next + Update date.</li> + </ul> + </li> + <li>Click OK to confirm your choices.</li> +</ol> + +<h3 id="viewing_and_managing_crls">Viewing and Managing CRLs</h3> + +<p>You can view and manage CRLs available to the browser through the + browser's Validation preferences:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, click Validation. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> + <li>Click Manage CRLs in the Validation panel to see a list of the CRLs + available to Certificate Manager.</li> +</ol> + +<p>To delete or update a CRL, select it and click the appropriate button.</p> + +<p>To set up automatic updates for a CRL, select the CRL and click Settings. + The Automatic CRL Update Preferences dialog box appears:</p> + +<ol> + <li>Select the option labeled <q>Enable Automatic Update for this + CRL</q>.</li> + <li>Decide how you want to schedule the automatic updates: + <ul> + <li><strong>Update [__] days before Next Update date</strong>: Select + this option if you want to base the update frequency on the frequency + with which the CRL publisher publishes a new version of the CRL.</li> + <li><strong>Update every [__] days</strong>: Select this option if you + want to specify an update interval unrelated to the CRL's Next + Update date.</li> + </ul> + </li> + <li>Click OK to confirm your choices.</li> +</ol> + +<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p> + +<h2 id="configuring_ocsp">Configuring OCSP</h2> + +<p>The settings that control OCSP are part of Validation preferences. To view + Validation preferences, follow these steps:</p> + +<ol> + <li>Open the <span class="mac">&brandShortName;</span> + <span class="noMac">Edit</span> menu and choose Preferences.</li> + <li>Under the Privacy & Security category, click Validation. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)</li> +</ol> + +<p>For information about the OCSP options available, see + <a href="validation_help.xhtml#ocsp">OCSP</a>.</p> + +<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p> + +</body> +</html> |