Certificate revocation list – CRL

Certificates for VPN connections have a validity period by a start date and an end date. During this period, the certificate can be used to establish a VPN connection. Should an employee leave the company, then it should be possible for certificates, for example that were used for mobile VPN access, to be declared as invalid. This prevents continued access to the company network and does not require any changes to the VPN router configuration.

The certificate is physically located with the ex-employee and cannot be changed, which is why a certificate revocation list is of use. Certificates which are no longer valid are entered into the CRL, which are supported by Microsoft CA and OpenSSL, for example. The CRL is available from a suitable server. The URL to be used by a router to download the CRL into its own memory is entered into the root certificate of the VPN router and/or into the configuration of the device itself.

The CRL is renewed by the CA on a regular basis, enabling changes in the CRL, such as withdrawn certificates, to be recognized by the VPN routers in good time. During the setup at the CA, a schedule is defined for the regular updating of the CRL. After an update to the CRL and its storage to the server (manual or automatic), the VPN router then has to update its information, too. To do this, the router reads out the validity period of the CRL and, briefly before expiry, attempts to load a current version. Alternatively, a regular update which depends on the validity period of the CRL can be set in the router.

When a connection is being established, the VPN router checks if the remote site's certificate is in the current CRL. Connections to remote sites without a valid certificate are rejected.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo