Polycom realpresence group series Administrator's Manual page 154

Note: Expired CRL blocks web interface access
If the Always Validate Peer Certificates from Browsers setting is enabled and the expired CRL is
for a CA that is part of the trust chain for the client certificate sent by your browser, you can no longer
connect to the RealPresence Group system web interface because the revocation check always fails.
In this case, unless the RealPresence Group system web interface can be accessed by a user whose
client certificate's trust chain does not include the CA with the expired CRL, you must delete all
certificates and CRLS from the system and then reinstall them. See the
for more information.
To use OCSP:
1 Go to Admin Settings > Security > Certificates > Revocation.
2 Configure these settings on the Revocation page and click Save.
Setting
Revocation Method
Allow Incomplete
Revocation Checks
Global Responder Address
Use Responder Specified
in Certificate
Note: OCSP response message and CA certificates
For validation of the OCSP response message, if you use OCSP, you might need to install one or
more additional CA certificates on the RealPresence Group systems.
Polycom, Inc.
Description
Select the OSCP method.
When this field is enabled, the RealPresence Group system treats the following
response from the OCSP responder as a successful revocation checks that would
otherwise be considered a failed check:
• If the OCSP responder responds that the status is unknown or if no response is
received, the system treats this as a successful revocation check.
Regardless of the state of this setting, the following statements apply:
• If the OCSP responder indicates a known revoked status, the RealPresence
Group system treats this as a revocation check failure and does not allow the
connection.
• If the OCSP responder indicates a known good status, the RealPresence Group
system treats this as a successful revocation check and allows the connection.
Specifies the URI of the responder that services OCSP requests (for example,
http://responder.example.com/ocsp). This responder is used for all
OCSP validation when Use Responder Specified in Certificate is disabled, and
is sometimes used even when Use Responder Specified in Certificate is
enabled. Polycom therefore recommends that you always enter a Global
Responder Address regardless of the value chosen for the Use Responder
Specified in Certificate setting.
In some cases, the certificate itself includes the responder address. When this field
is enabled, the RealPresence Group system attempts to use the address in the
certificate (when present) instead of the Global Responder Address specified in
the previous field.
Note: The Polycom RealPresence Group system supports only the use of HTTP
URLs in the AIA field of a certificate when Use Responder Specified in
Certificate is enabled.
Security
Delete Certificates and CRLs
154