Verifying CRLs

You can control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. Both the offline and online digital certificate processes enable you to verify CRLs.

To verify CRLs in the offline certificate process, you must copy CRL files that are published by CAs to the ERX router. Using the ipsec crl command, you can control how the router handles CRLs during negotiation of IKE phase 1 signature authentication.

In the online certificate method you use the crl command to control CRL verification. The router uses HTTP to support CRL verification when the CRL distribution point that appears in the certificate has an http://name Uniform Resource Indicator (URI) format.

The ipsec crl and crl commands have three possible settings:

• Ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting.
• Optional—If the router finds a valid CRL, the router uses it.
• Required—Requires a valid CRL, and the certificates belonging to the E-series router or the peer must not appear in the CRL; this is the strictest setting.

Based on the CRL setting, you can expect the phase 1 IKE negotiations to succeed or fail depending on the following conditions:

• CRL OK—The certificate revocation list is present for the CA and valid (not expired).
• CRL expired—The CRL is present on the ERX router but is expired.
• Missing CRL—There is no CRL on the router for the CA.
• Peer Cert revoked—The CRL contains the peer certificate.
• ERX Cert revoked—The CRL contains the E-series router's certificate.

Table 16 presents how the CRL setting affects the outcome of IKE phase 1 negotiations. It lists common problem conditions such as ERX Cert revoked.

Table 16: Outcome of IKE Phase 1 Negotiations

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.