Technical Documentation

Configuring a Certificate Revocation List

A certificate revocation list (CRL) contains a list of digital certificates that have been canceled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL. By default, CRL verification is enabled on any CA profile running on JUNOS Release 8.1 or later. To disable CRL verification, include the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level.

To specify the URL for the Lightweight Directory Access Protocol (LDAP) server where your CA stores its current CRL, include the url statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level. If the LDAP server requires a password to access the CRL, include the password statement at the [edit security pki ca-profile ca-profile-name revocation-check crl url] hierarchy level.

Note: You do not need to specify a URL for the LDAP server if the certificate includes a certificate distribution point (CDP). The CDP is a field within the certificate that contains information about how to retrieve the CRL for the certificate. The router uses this information to download the CRL automatically. Any LDAP URL you configure takes precedence over the CDP included in the certificate.

If you manually downloaded the CRL, you must manually install it on the router. To manually install the CRL, issue the request security pki crl load ca-profile ca-profile-name filename path/filename command.

To configure the time interval between CRL updates, include the refresh-interval statement at the [edit security ca-profile ca-profile-name revocation-check crl] hierarchy level.

To override the default behavior and permit IPSec peer authentication to continue when the CRL fails to download, include the disable on-download-failure statement at the [edit security ca-profile ca-profile-name revocation-check crl] hierarchy level.

[edit security pki ca-profile ca-profile-name]revocation-check {disable;crl {disable on-download-failure; refresh-interval number-of-hours { # The range is 0 through 8784 hours.url { url-name;password;}}}}

Published: 2010-04-15