Certificate; Enable Crl Checking; Server - Cisco VPN 3000 User Manual

serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate
for authentication, it also checks the latest CRL to ensure that the certificate has not been revoked.
CAs use LDAP databases to store and distribute CRLs. They may also use other means, but the VPN
Concentrator relies on LDAP access.
Since the system has to fetch and examine the CRL from a network distribution point, enabling CRL
checking may slow system response times. Also, if the network is slow or congested, CRL checking may
fail.
Many certificates include the location of the CRL distribution point. View the certificate to determine
its presence. If the CRL distribution point is present in the certificate in the proper format, you need not
configure any fields below the checkbox on this screen.
Figure 14-40: Administration | Certificate Management | Certificates | CRL screen

Certificate

The certificate for which you are configuring CRL checking. This is the name in Subject field of
Certificate Authorities

Enable CRL Checking

Check this box to enable CRL checking on all certificates issued by this CA under its root. The box is
not checked by default.
If this certificate does not include CRL Distribution Point information, you must configure the fields that
follow. Otherwise, ignore them. Contact the security administrator at the CA to get the proper entries for
these fields.

Server

Enter the IP address or hostname of the CRL distribution point server (LDAP server). Maximum 32
characters.
VPN 3000 Concentrator Series User Guide
table on Administration | Certificate Management | Certificates screen.
Administration | Certificate Management | Certificates | CRL
14-47