Hi Colin

We had a similar function with longer lifetime certificates before rolling out the SAP authenticator app. Before then we placed rewrite rules within the web dispatcher to block client certificates for a device that was lost. i.e. SSL_CLIENT_CERT_SUBJECT as per SAP Note 1612828.

This was in addition to the recommendation that Stephan has made, i.e. locking associated accounts.

Rgrds

Craig

Dear Colin,

If you and your team would like to find more about the future direction and plans for improvement of the SAP Single Sign-On product, you can simply Join the SAP Single Sign-On Customer Engagement Initiative.

Regards,

Donka Dimitrova

Secure Login Server is designed to issue short-lived certificates in a short-term way. One of the reasons for such approach is to eliminate the need for revocation management of certificates.

However, SLS allows to configure also longer life times. The recommendation here is to revoke or lock on account and permission level. If your iPad was stolen, there will be more risks to be handled than this certificate.

But we are also planning the integration of third party enterprise PKIs like ADCS, allowing to issue certificates with CRL DPs or OCSP AIAs. SLS then acts as Registration Authority with the full bundle of user authentication and user name mapping capabilities.

-- Stephan

Hi Colin,

Since SLS is designed to issue short term X509 certificates, it does not need to  generate CRLs for X509 certificates. The concept is based on short term validity of X509 certificates, and therefore there is no need of a CRLs feature on the SLS.

Regards,

Marcus