Configuration of the CRL function involves the definition of the path to the CRL and additional parameters such as the update interval.
LANconfig: VPN / IKE Auth.
WEBconfig: LCOS menu tree / Setup / VPN / Certificates-and-Keys / CRLs
- CRL function [Default: Off]
- Enabled: During the certificate check, the CRL (if available) will be considered as well.
Note: If this option is activated but no valid CRL is available (e.g. if the server can't be reached), then all connections will be rejected and existing connections will be interrupted. - Use alternative URL [Default: No
- No: Only the URL defined in the root certificate is to be used.
- Yes, always: The alternative URL will always be used even if a URL is entered into the root certificate.
- Yes, alternative: The alternative URL will only be used if there is no URL entered into the root certificate.
- Alternative URL
- This is an alternative URL which can be used to retrieve a CRL.
- Single prefetch [Default: 300 seconds]
- The point in time prior to expiry of the CRL when the new CRL can be loaded. This value is increased by a random value to prevent server overload from multiple simultaneous queries. Once within this time frame, any coinciding regular planned updates will be stopped.
Note: If the first attempt to load the CRL fails, new attempts are made at regular short intervals. - Continous prefetch [Default: 0 seconds]
- The time period after which periodic attempts are made to retreive a new CRL. Useful for the early retreival of CRLs published at irregular intervals. The entry '0' disables regular retreival.
Note: If with regular updates the CRL cannot be retreived, no further attempts will be started until the next regular attempt. - Validity tolerance
- Even after expiry of the CRL, certificate-based connections will continue to be accepted for the period defined here. This tolerance period can prevent the unintentional rejection or interruption of connections if the CRL server should be temporarily unavailable.
Note: Within the time period defined here, even certificates in the CRL which have expired can still be used to maintain or establish a connection.