Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

revocation-check

Syntax

Hierarchy Level

Description

Specify the method to verify revocation status of digital certificates for J Series Services Routers and Adaptive Services (AS) and MultiServices PICs installed in M Series and T Series routers.

Options

disable—Disable verification of status of digital certificates. Use disable temporarily in cases where a certificate authority (CA) server is unreachable and certificate cannot be renewed or if the certificate download fails.

crl—Only certificate revocation list (CRL) is supported. A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis. By default, crl is enabled.

The PKID process might fail after RG0 failover on the new node causing all the IPsec VPNs using the public key infrastructure (PKI) to go down when:

  • A local certificate used for IPsec VPN is revoked by the Certificate Authority (CA).

  • Certificate revocation list (CRL) check is disabled.

  • CRL is not cleared.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.1.

Related Documentation