[Contents][Prev][Next][Index][Report an Error]

Configuring a Certificate Revocation List

A certificate revocation list (CRL) contains a list of digital certificates that have been cancelled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL.

Note: By default, certificate revocation list verification is enabled. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level.

By default, if the router either cannot access the Lightweight Directory Access Protocol (LDAP) URL or retrieve a valid certificate revocation list, certificate verification fails and the IPSec tunnel is not established. To override this behavior and permit the authentication of the IPSec peer when the CRL is not downloaded, include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level.

To use the CA certificate revocation list, you include statements at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. For details, see the JUNOS System Basics Configuration Guide.

[Contents][Prev][Next][Index][Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.