|
|
# What is CertCache?
|
|
|
|
|
|
A client certificate can only be one of 3 states: not yet valid, valid, and no longer valid (expired). The issuing CA can add a fourth state - revoked - which can be determined by checking a [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list), or querying the CA's [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint. CRLs can become very large, and there's always a lag between certificate revocation and downloading an updated CRL. OCSP is always up to date, but it requires an HTTP call which can have variable performance.
|
|
|
|
|
|
Additionally, Stanford only allows certificates to be used if they are associated with a compliant device, as determined by the Device Registry (based on data from BigFix or VLRE agents, AirWatch MDM, and other sources). Rather than require users to re-enroll for a new certificate anytime their device becomes non-compliant, we want to track when certificates cannot be used.
|
|
|
|
|
|
For these reasons, and to prevent multiple calls to OCSP and the Device Registry API for every authentication, we use a separate cache of certificate information - CertCache.
|
|
|
|
|
|
# CertCache Documentation
|
|
|
|
|
|
CertCache is a set of APIs and a database for maintaining extra information acout client certs issued by CloudPath. It is designed to integrate with the following services:
|
... | ... | |