Verifying Server certificatesVerifying server certificates is mandatory in the TLS protocol.As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificatesagainst installed CA certificates.NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IPaddress specified in the application. For example, when using SYSLOG over TLS, the hostname or IP address specified in thelogging syslog-server secure port port-number command is compared against the SubjectAltName or CommonName field in the server certificate.Verifying Client CertificatesVerifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria.However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed.Event loggingThe system logs the following events:• A CA certificate is installed or deleted.• A self-signed certificate and private key are generated.• An existing host certificate, a private key, or both are deleted.• A host certificate is installed successfully.• An installed certificate (host certificate or CA certificate) is within seven days of expiration. This alert is repeated periodically.• An OCSP request is not answered with an OCSP response.• A secure session negotiation fails due to invalid, expired, or revoked certificate.1146 X.509v3