How to Handle a Certificate Revocation
List
A certificate revocation list (CRL) contains outdated or compromised certificates from a Certificate Authority. You have four ways to handle CRLs.
-
You must instruct IKE to ignore CRLs if your CA organization does not issue CRLs. This option is shown in Step 6 in How to Configure IKE With Certificates Signed by a CA.
-
You can instruct IKE to access the CRLs from a URI (uniform resource indicator) whose address is embedded in the public key certificate from the CA.
-
You can instruct IKE to access the CRLs from an LDAP server whose DN (directory name) entry is embedded in the public key certificate from the CA.
-
You can provide the CRL as an argument to the ikecert certrldb command. For an example, see Example 23–7.
The following procedure describes how to instruct IKE to use CRLs from a central distribution point.
-
Display the certificate that you received from the CA.
# ikecert certdb -lv certspec
- -l
-
Lists certificates in the IKE certificate database.
- -v
-
Lists the certificates in verbose mode. Use this option with care.
- certspec
-
Is a pattern that matches a certificate in the IKE certificate database.
For example, the following certificate was issued by Sun Microsystems. Details have been altered.
# ikecert certdb -lv example-protect.sun.com Certificate Slot Name: 0 Type: dsa-sha1 (Private key in certlocal slot 0) Subject Name: <O=Sun Microsystems Inc, CN=example-protect.sun.com> Issuer Name: <CN=Sun Microsystems Inc CA (Cl B), O=Sun Microsystems Inc> SerialNumber: 14000D93 Validity: Not Valid Before: 2002 Jul 19th, 21:11:11 GMT Not Valid After: 2005 Jul 18th, 21:11:11 GMT Public Key Info: Public Modulus (n) (2048 bits): C575A…A5 Public Exponent (e) ( 24 bits): 010001 Extensions: Subject Alternative Names: DNS = example-protect.sun.com Key Usage: DigitalSignature KeyEncipherment [CRITICAL] CRL Distribution Points: Full Name: URI = #Ihttp://www.sun.com/pki/pkismica.crl#i DN = <CN=Sun Microsystems Inc CA (Cl B), O=Sun Microsystems Inc> CRL Issuer: Authority Key ID: Key ID: 4F … 6B SubjectKeyID: A5 … FD Certificate Policies Authority Information AccessNotice the CRL Distribution Points entry. The URI entry indicates that this organization's CRL is available on the web. The DN entry indicates that the CRL is available on an LDAP server. Once accessed by IKE, the CRL is cached for further use.
To access the CRL, you need to reach a distribution point.
-
Choose one of the following methods to access the CRL from a central distribution point.
-
Add the keyword use_http to the host's /etc/inet/ike/config file. For example, the ike/config file would appear similar to the following:
# Use CRL from organization's URI use_http …
-
Add the keyword proxy to the ike/config file. The proxy keyword takes a URL as an argument, as in the following:
# Use own web proxy proxy "http://proxy1:8080"
-
Name the LDAP server as an argument to the ldap-list keyword in the host's /etc/inet/ike/config file. Your organization provides the name of the LDAP server. The entry in the ike/config file would appear similar to the following:
# Use CRL from organization's LDAP ldap-list "ldap1.sun.com:389,ldap2.sun.com" …
IKE retrieves the CRL and caches the CRL until the certificate expires.
-
Example 23–7 Pasting a CRL Into the Local certrldb Database
If the PKI organization's CRL is not available from a central distribution point, you can add the CRL manually to the local certrldb database. Follow the PKI organization's instructions for extracting the CRL into a file, then add the CRL to the database with the ikecert certrldb -a command.
# ikecert certrldb -a < Sun.Cert.CRL |
- © 2010, Oracle Corporation and/or its affiliates