Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Certificate Revocation Lists (NSM Procedure)

    A certificate revocation list (CRL) identifies invalid certificates. To view the available CRLs on a device, in the device navigation tree, select VPN Settings > CRLs. To obtain a CRL file (.crl), contact the CA that issued the local certification and CA certificate for the device, then use this file to create a Certificate Revocation List object.

    You must install the CRL on the managed device using NSM before you can use a CRL to check for revoked certificates in your VPN. Because the CRL is an object, however, you can use the same CRL for multiple devices, as long as those devices use local and CA certificates that were issued by that CA. After you have received a CRL, you can use the CRL object in your VPN. For details on configuring a certificate revocation list object, see Unresolved xref.

    You must manually contact your CA, obtain a CRL, and create a certificate revocation list object. Then, add the CRL to the device and install it on the device:

    1. Open the device configuration and select VPN Settings > CRLs. Click the Add icon and add the Certificate Revocation List object. Close the device configuration.
    2. Right-click the device and select Certificates > Update CRL. This directive uses the information in the management system to update the information on the physical system. A Job Manager window appears to display job information and job progress.

      Note: For devices running ScreenOS 5.x, you must install a TFTP server on the NSM device server. The device sServer automatically uses TFTP to load the CRL onto your managed devices. For more information about creating a TFTP server on the device server, see the Network and Security Manager Installation Guide.

    3. When the job is complete, close the Job Manager window.

    For devices running ScreenOS 5.1 and later, the device server automatically uses Secure Server Protocol (SSP) (the protocol used for the management connection) to load CRLs.

    To view CRL, double-click the device configuration and select VPN Settings > CRL.

    Published: 2013-01-02