(Optional) Configure the CRL Manually

To configure the CRL manually:

  1. Double click on the imported CA certificate.

    The Configure Trusted CA dialog is displayed.

    netwitness_revoconman.png

  2. In the Revocation Configuration section, select Configure Revocation Checks Manually.
  3. If the latest CRL is not available, select Use Expired CRLs for Revocation Checks to use the expired CRL for revocation.

    Caution: If the above option is enabled, the first CRL in the sequence will be used. This option is useful when you want the NetWitness to work even if PKI system is not available. Make note that first CRL in the sequence is always valid and it will not expire.

  4. In the Revocation Check Mode field, do one of the following to validate the user certificate.

    • Select Check only CRLs for Revocation to use only the CRLs.
    • Select Check only OCSP Responder for Revocation to use only the OCSP Responders.
    • Select First Check CRLs then OCSP Responder for Revocation to use the CRL. If all the CRLs are expired, use the OCSP Responders.
    • Select First Check OCSP Responder Then CRLs for Revocation to use the OCSP Responders. If all the Responders are offline or unavailable, use the CRLs.
  5. Click netwitness_ic-add.png to add the CRL.

    netwitness_crlhttp.png

  6. To add a CRL published on a HTTP server:

    1. In the CRL Type field, select CRL is located on a HTTP server.
    2. In the URL field, specify the HTTP URL to access the CRL

    Note: Make sure that the CRL is available and HTTP server is accessible from NetWitness.

  7. To upload a CRL file downloaded from the CA:

    1. In the CRL Type field, select CRL is available as a File.
    2. In the CRL file field, click Browse to upload the CRL file.

    Note: Make sure that the CRL is downloaded from CDP location.

  8. To add a OCSP Responder:

    1. In the CRL Type field, select HTTP URL for OCSP Responder.
    2. In the URL field, specify the HTTP URL.
    3. In the Certificate field, click Browse to upload the OCSP Responder Signing Certificate.

    Note: Make sure that the OCSP Responder is accessible from NetWitness.

  9. Click Try Reading CRL.

    The NetWitness UI displays the extracted information from the CRL.

    Note: The CRL revocation check is done in the sequence that the CRL is added.
    For example:
    - If there are two CRLs configured and both are valid, only the first CRL is considered for revocation. The second CRL is considered for revocation only after the first CRL expires.
    - If there are two CRLs configured, if the first CRL is expired and you select Use Expired CRLs for Revocation Checks, the first CRL is only considered for revocation check and second CRL is ignored.

    If the HTTP URL is located on the HTTPS location, the NetWitness does not validate the web server certificate of the HTTP server on which the CRL is located.

  1. Click Save.

    The CRL file is added to the NetWitness.