Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Options for controlling certificate and CRL processing

Authentication Services provides a number of vas.conf options for configuring bootstrapping behavior.

Table 3: Options for configuring bootstrapping behavior
Option Function
auto-crl-download Whether to automatically download CRLs as needed.
auto-crl-removal Whether to remove out-of-date CRLs from the cache automatically.
bootstrap-trusted-certificate Whether trusted certificates should be automatically retrieved from Active Directory.
trusted-certs-update-interval How often trusted certs and CRL should be updated (default 8 hours).
auto-crl-download-bind-type How to bind to the LDAP directory when retrieving CRLs.

Managing certificates and CRLs

Update certificates manually

By default certificates and CRLs are updated if the trusted-certs-update-interval has expired, and then only during the login process. You can request an update of the trusted certificates directory manually by using the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update

Note: You can schedule an update during off hours using a cron job.

Force an update of certificates

You can manually update the trusted certificates outside the configured period. For example, to retrieve a recently added trusted certificate, use the -f option with the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update -f

This command removes the existing certificates from the NtAuth subdirectory and retrieves all the current trusted certificates from Active Directory.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating