 |
Note: By default, certificate revocation list verification is enabled. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. |
A certificate revocation list (CRL) contains a list of digital certificates that have been canceled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL.
CRLs issued by Entrust, VeriSign, and Microsoft are compatible with the J-series services Routers and AS and MultiServices PICs installed in the M-series and T-series routing platforms.
|
Note: By default, certificate revocation list verification is enabled. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. |
To configure the CA certificate revocation list, include the following statements at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level:
- [edit security pki ca-profile ca-profile-name revocation-check]
-
crl {
- disable on-download-failure;
-
refresh-interval number-of-hours;
-
-
url {
-
url-name;
- password;
- }
- }
|
Note: If you manually download the CRL, you must install it manually on the routing platform. Issue the operational mode command request security pki crl load ca-profile ca-profile-name filename path/filename. For more information, see the JUNOS System Basics and Services Command Reference. |
This section contains the following topics:
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |