Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Safeguard Authentication Services 5.0.1 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for Unix Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Automatic CRL retrieval

By default Safeguard Authentication Services for Smart Cards retrieves any CRLs that are required to verify the certificates presented by Active Directory and automatically updates these as they expire and new certificates are issued. To be able to retrieve CRLs, the certificates to which they correspond must contain a CRL distribution points extension that contains an LDAP URI from which to download the CRL.

CRLs are stored in the /var/opt/quest/vas/crls directory.

Options for controlling certificate and CRL processing

Safeguard Authentication Services provides a number of vas.conf options for configuring bootstrapping behavior.

Table 3: Options for configuring bootstrapping behavior
Option Function
auto-crl-download Whether to automatically download CRLs as needed.
auto-crl-removal Whether to remove out-of-date CRLs from the cache automatically.
bootstrap-trusted-certificate Whether trusted certificates should be automatically retrieved from Active Directory.
trusted-certs-update-interval How often trusted certs and CRL should be updated (default 8 hours).
auto-crl-download-bind-type How to bind to the LDAP directory when retrieving CRLs.

Managing Certificates and CRLs

Update certificates manually

By default certificates and CRLs are updated if the trusted-certs-update-interval has expired, and then only during the login process. You can request an update of the trusted certificates directory manually by using the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update

Note: You can schedule an update during off hours using a cron job.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating