Table of Contents
Advertisement
Configuring VPN objects
Enabling CRL checking
For certificate-based VPNs using IKE negotiation, a security gateway must verify the other
certificate of the VSU. When Certification Revocation List (CRL) Checking is enabled, the VSU
validates the certificate revocation list downloaded from the VPNmanager using the Certificate
Authority (CA) certificate. The VSU checks the certificate against the validated CRL. If the CRL
locates a revoked certificate, the IKE negotiation is cancelled.
To manually install a CRL into Directory Server from the CA's LDAP server:
1. From the CA's LDAP server, obtain the CRL that is associated with your installed issuer
certificate.
2. Save the CRL as crl content.txt.
3. Open the crl content.txt file to extract the necessary CRL information.
4. To extract the necessary CRL information, open the crl content.txt file.
5. Locate the dn header with the organization unit (ou) that corresponds to the CRL. For
example, dn: ou=vpnet VSU, o=Avaya Inc., c=US
6. Locate the paragraphs starting with cacertificate;binary and
certificaterevocationlist;binary.
7. For example,
cacertificate;binary::MIICKzCCAZSgAwIBAgIQRTP4LaWmlSRKYLv86Cphk
.
.
.
ygPDgMZlQq4oQoNyy26HRAV0yJ==
certificaterevocationlist;binary::MIIC2zCCAkQwDQYJKoZIhvcNAQEEBQAw
8. Copy the cacertification;binary and certificaterevocationlist;binary paragraphs to a
new file.
9. Save the new CRL as crl.ldif.
10. Add a certificate dn header to the crl.idif file. Use the following dn header format:
Note:
dn: cacertificate=IssuerCRL, ou=VPN Domain, o=DNS Domain
Note:
objectclass: certificationAuthority
Note:
dn specifies where the CRL file is filed.
Note:
156 Avaya VPNmanager Configuration Guide Release 3.7
Advertisement
Table of Contents
