Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

revocation-check (Security PKI)

Syntax

Hierarchy Level

Description

Specify the method the device uses to verify the revocation status of digital certificates.

Options

crl

Only certificate revocation list (CRL) is supported. A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis.

You should also specify the location (URL) to retrieve the CRL (HTTP or LDAP). By default, the URL is empty and uses CDP information embedded in the CA certificate.

For Example: set security pki ca-profile ms-ca revocation-check crl url http://labsrv1.labdomain.com/CertEnroll/LABDOMAIN.crl

The URL can include the server-name or port information such as, ldap://<ip-or-fqdn>:<port>). If the port number is missing, HTTP uses port 80, or LDAP uses port 443. Currently, you can configure only one URL. We do not support for configuring backup URL.

By default, crl is enabled. Local certificates are being validated against certificate revocation list (CRL) even when CRL check is disabled. This can be stopped by disabling the CRL check through the Public Key Infrastructure (PKI) configuration. When CRL check is disabled, PKI will not validate local certificate against CRL.

disable

Disable verification of status of digital certificates.

oscp

Configure Online Certificate Status Protocol (OCSP) to check the revocation status of a certificate.

use-crl

Specify the CRL as the method to check the revocation status of a certificate. CRL is the default method.

When you enable this option, you choose CRL as a method to verify the revocation status of digital certificates.

use-ocsp

Specify the Online Certificate Status Protocol (OCSP) as the method to check the revocation status of a certificate. CRL is the default method.

When you enable this option, you choose OCSP as a method to verify the revocation status of digital certificates.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5. Support for ocsp, use-crl, and use-ocsp options added in Junos OS Release 12.1X46-D20.