Table of Contents
Advertisement
120 Certificates and Client Authentication
4
Automatic CRL Retrieval
Automatic CRL retrieval is used for configuring access to a server
containing CRLs (certificate revocation lists), and retrieving such lists at
regular intervals to automate the task of keeping the CRL up-to-date.
You can use LDAP, HTTP, or TFTP to retrieve CRLs from the appropriate
server (for LDAP, the server must support LDAP v3). When using LDAP,
a bind operation to the specified LDAP server is performed each time a
CRL retrieval occurs. The bind operation uses the specified distinguished
name and password. Directly after a successful bind operation, a search
for the CRL attribute specified in the URL is performed on the LDAP
server. For more information about the implementation details behind
these operations, see RFC 2251.
Step
1
Copyright © 2007-2008 Nortel Networks
.
Or, for a CRL in hexadecimal format, list the serial numbers
by their hexadecimal values below the HEX ASCII revocation
paragraph. For example:
# CRL for CA certificate 1
# Issued first: 2005-01-01
# Last update: 2005-02-01
HEX ASCII revocation
1F4
1F5
24E
Save the file, and upload it to a TFTP/FTP/SCP/SFTP server
that can be accessed from your VPN Gateway(s).
Note:
When enabling automatic retrieval of certificate revocation lists,
any existing revocation list is overwritten.
Action
Specify the URL from which the CRL list should be
retrieved.
This step sets the complete URL for retrieving a CRL using
LDAP, HTTP, or TFTP. If you are not using the default TCP port
of the respective protocol, the TCP port number must also be
included in the URL.
If you want to retrieve CRLs from an LDAP server, you need
to provide the distinguished name of the specific object on the
LDAP server, together with the attribute that holds the CRL (all in
Nortel VPN Gateway
NN46120-104 02.01 Standard
14 April 2008
--End--
User Guide
Advertisement
Table of Contents
