Authentication Services provides a number of vas.conf options for configuring bootstrapping behavior.
|auto-crl-download||Whether to automatically download CRLs as needed.|
|auto-crl-removal||Whether to remove out-of-date CRLs from the cache automatically.|
|bootstrap-trusted-certificate||Whether trusted certificates should be automatically retrieved from Active Directory.|
|trusted-certs-update-interval||How often trusted certs and CRL should be updated (default 8 hours).|
|auto-crl-download-bind-type||How to bind to the LDAP directory when retrieving CRLs.|
By default certificates and CRLs are updated if the trusted-certs-update-interval has expired, and then only during the login process. You can request an update of the trusted certificates directory manually by using the vastool smartcard trusted-certs command, as follows:
vastool smartcard trusted-certs update
Note: You can schedule an update during off hours using a cron job.
You can manually update the trusted certificates outside the configured period. For example, to retrieve a recently added trusted certificate, use the -f option with the vastool smartcard trusted-certs command, as follows:
vastool smartcard trusted-certs update -f
This command removes the existing certificates from the NtAuth subdirectory and retrieves all the current trusted certificates from Active Directory.