[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Checking Certificate Validity Using CRLs

In Phase 1 negotiations, participants check the CRL list to see if certificates received during an IKE exchange are still valid. If a CRL did not accompany a CA certificate and is not loaded on the device, JUNOS Software tries to retrieve the CRL through the LDAP or HTTP CRL location defined within the CA certificate itself. If no URL address is defined in the CA certificate, the device uses the URL of the server that you define for that CA certificate. If you do not define a CRL URL for a particular CA certificate, the device gets the CRL from the URL in the CA profile configuration.

Before You Begin
  1. Obtain a certificate either online or manually. See Obtaining Digital Certificates Online or Obtaining Digital Certificates Manually .
  2. For background information, read:

Note: The CRL distribution point extension (.cdp) in an X509 certificate can be added to either an HTTP URL or an LDAP URL.

This topic covers:

J-Web Configuration

To configure a certificate authority profile.

  1. Select Configure>CLI Tools>Point and Click CLI
  2. Next to Security, click Configure or Edit.
  3. Next to PKI, select the check box and click Configure.
  4. Next to Ca profile, click Add new entry.
  5. In the Ca profile name box, type my_profile.
  6. In the Ca identity box, type sm1.
  7. Next to Revocation check, click Configure.
  8. Next to Crl, click Configure.
  9. Next to Url, click Add new entry.
  10. In the Url string, type http://abc and click OK.
  11. If you are finished configuring the router, Commit the configuration.
  12. To check the configuration, see Verifying the Validity of a CertificateVerifying the Validity of a Certificate

CLI Configuration

With the following command, you direct the device to check the validity of the CA profile called my_profile and, if a CRL did not accompany a CA certificate and is not loaded on the device, to retrieve the CRL from the URL http://abc.

user@host# set security pki ca-profile my_profile revocation-check crl url http://abc

Related Topics

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]