A Certificate Revocation List (CRL) handles outdated or compromised certificates from a Certificate Authority. You have four ways to handle CRLs.
If your CA organization does not issue CRLs, you can instruct IKE to ignore CRLs in your /etc/inet/ike/config file. This option was shown in How to Configure IKE With Public Keys Signed by a Certificate Authority.
IKE can access the CRLs from a URI whose address is embedded in the publickeys certificate from the CA.
IKE can access the CRLs from an LDAP server whose DN entry is embedded in the publickeys certificate from the CA. You specify the LDAP server as an argument to the ldap-list keyword in the /etc/inet/ike/config file.
You can provide the CRL as an argument to the ikecert certrldb command.
The following procedure describes how to instruct IKE to use CRLs from a central distribution point.
Display the certificate that you received from the PKI organization by using the ikecert certdb –lv certspec command.
-l |
Lists certificates in the IKE certificate database. |
-v |
Lists the certificates in verbose mode. Use this option with care. |
certspec |
Match the certspec pattern to a pattern in the certificate. |
For example, the following certificate was issued by Sun Microsystems. Details have been altered.
# ikecert certdb -lv example-protect.sun.com Certificate Slot Name: 0 Type: if-modn (Private key in certlocal slot 0) Subject Name: <O=Sun Microsystems Inc, CN=example-protect.sun.com> Issuer Name: <CN=Sun Microsystems Inc CA (Class B), O=Sun Microsystems Inc> SerialNumber: 14000D93 Validity: Not Valid Before: 2002 Jul 19th, 21:11:11 GMT Not Valid After: 2005 Jul 18th, 21:11:11 GMT Public Key Info: Public Modulus (n) (2048 bits): C575A…A5 Public Exponent (e) ( 24 bits): 010001 Extensions: Subject Alternative Names: DNS = example-protect.sun.com Key Usage: DigitalSignature KeyEncipherment [CRITICAL] CRL Distribution Points: Full Name: URI = #Ihttp://www.sun.com/pki/pkismica.crl#i DN = <CN=Sun Microsystems Inc CA (Class B), O=Sun Microsystems Inc> CRL Issuer: Authority Key ID: Key ID: 4F … 6B SubjectKeyID: A5 … FD Certificate Policies Authority Information Access |
Notice the CRL Distribution Points data. The URI entry indicates that this organization's Certificate Revocation List is available on the Web. The DN entry indicates that the CRL is also available on an LDAP server. You can use one of these two options.
To use the URI, put the keyword use_http in the host's /etc/inet/ike/config file.
For example, the ike/config file would look like the following:
# Use CRL from organization's URI use_http … |
IKE retrieves the CRL and caches the CRL until the certificate expires.
You can also use a web proxy by putting the keyword proxy in the ike/config file. proxy takes a URL as an argument, as in the following:
proxy "http://proxy1:8080" |
To use LDAP, enter the LDAP server as an argument to the ldap-list keyword in the host's /etc/inet/ike/config file.
Your organization provides the name of the LDAP server. The entry in the ike/config file would look something like the following:
# Use CRL from organization's LDAP ldap-list "ldap1.sun.com:389,ldap2.sun.com" … |
IKE retrieves the CRL and caches the CRL until the certificate expires.
The example shows how to use a CRL that is not available from a central distribution point.
If your organization's certificate does not contain a central distribution point, you can add the organization's CRL manually to the local crls database. You follow the organization's instructions for extracting the CRL, then add the CRL to the database with the ikecert certrldb –a command.
# ikecert certrldb -a<Type the Return key> <Paste the CRL from the PKI organization.> <Type the Return key.> <Type <Control-D> to enter the CRL into the database.> |