Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Update certificates manually

By default certificates and CRLs are updated if the trusted-certs-update-interval has expired, and then only during the login process. You can request an update of the trusted certificates directory manually by using the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update

Note: You can schedule an update during off hours using a cron job.

Force an update of certificates

You can manually update the trusted certificates outside the configured period. For example, to retrieve a recently added trusted certificate, use the -f option with the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update -f

This command removes the existing certificates from the NtAuth subdirectory and retrieves all the current trusted certificates from Active Directory.

Disable bootstrap and manage certificates and CRLs manually

You can disable certificate bootstrapping and CRL downloading and distribute these items to Authentication Services clients by other means, such as Group Policy.

To disable bootstrap and manage certificates and CRLs manually

  1. Set the auto-crl-download, auto-crl-removal and bootstrap-trusted-certs options to false in the [pkinit] section of the /etc/opt/quest/vas/vas.conf files, as follows:
    [pkinit]
    auto-crl-download = false
    auto-crl-removal = false
    bootstrap-trusted-certs = false
  2. Place the trusted certificates in the /var/opt/quest/vas/certs directory.
  3. Place CRLs in the /var/opt/quest/vas/crls directory.

Testing Authentication Services for Smart Cards

After you install and configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers, you will want to validate your installation.

Related Documents