Related Documentation
- J Series
- Understanding Certificates and PKI
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Example: Configuring a Certificate Authority Profile with CRL Locations
- LN Series
- Understanding Certificates and PKI
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Example: Configuring a Certificate Authority Profile with CRL Locations
- SRX Series
- Understanding Certificates and PKI
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Additional Information
- Public Key Infrastructure Feature Guide for Security Devices
Understanding Certificate Revocation Lists
In the normal course of business, certificates are revoked for various reasons. You might wish to revoke a certificate if you suspect that it has been compromised, for example, or when a certificate holder leaves the company.
You can manage certificate revocations and validations in two ways:
- Locally— This is a limited solution.
- By referencing a Certificate Authority (CA) certificate revocation list (CRL)— You can automatically access the CRL online at intervals you specify or at the default interval set by the CA.
In Phase 1 negotiations, participants check the CRL list to see if certificates received during an IKE exchange are still valid. If a CRL did not accompany a CA certificate and is not loaded on the device, the device tries to download it automatically from the CRL distribution point of the local certificate. If the device fails to connect to the URL in the certificate distribution point (CDP), it tries to retrieve the CRL from the URL configured in the CA profile.
If the certificate does not contain a certificate distribution point extension, and you cannot automatically retrieve the CRL through Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP), you can retrieve a CRL manually and load that in the device.
Related Documentation
- J Series
- Understanding Certificates and PKI
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Example: Configuring a Certificate Authority Profile with CRL Locations
- LN Series
- Understanding Certificates and PKI
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Example: Configuring a Certificate Authority Profile with CRL Locations
- SRX Series
- Understanding Certificates and PKI
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Additional Information
- Public Key Infrastructure Feature Guide for Security Devices
