Configuring the CRL function

The address where a certificate revocation list (CRL) can be collected is normally defined in the certificate (as crlDistributionPoint). Configuration of the CRL function involves the definition of additional parameters such as the update interval.





Configuration tool Request
LANconfig Certificates > CRL
CLI Setup > Certificates > CRLs
CRL client utilization activated
When checking the validity of a certificate, a CRL is referred to, if available.
Important: With the CRL function activated, a newly started system will always block new (certificate-based) connections until the system has a valid CRL with a match for the certificate. With the CRL function activated, existing connections are maintained but subsequent phase 1 rekeying will fail.
Update before (per CRL)
This value is always increased by a random value from 0 to 59 seconds to prevent server overload from multiple simultaneous queries. At the beginning of this period, regular updating, if any, is stopped.
Important: If CRL retrieval fails, a new attempt is made every 30 seconds.
Retrieve regularly (per CRL)
The interval between regular attempts to download a new CRL. In the case that the CA spontaneously issues new CRLs (i.e. in the middle of the current CRL's validity period), an interval can be defined in which regular attempts are made to download a new CRL after the previous download. This allows the new CRL to be used sooner than following the expiry of the current CRL. A interval of 0 switches this function off.
Important: If with regular updates the CRL cannot be retrieved, no further attempts will be started until the next regular attempt.
Validity check tolerance
Even after expiry of the CRL, certificate-based connections will continue to be accepted for the period defined here. This tolerance period can prevent the unintentional rejection or interruption of connections if the CRL server should be temporarily unavailable.
Important: Within the time period defined here, even certificates in the CRL which have expired can still be used to maintain or establish a connection.
Alternative URLs
The address where a certificate revocation list (CRL) can be collected is normally defined in the certificate (as crlDistributionPoint). Alternative CRLs can be specified in a table in the firmware. After a system start the CRLs are automatically collected from these URLs. These are used in addition to the lists offered by the certificates.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo