Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Handle Revoked Certificates in IKEv1

Revoked certificates are certificates that are compromised for some reason. A revoked certificate that is in use is a security risk. You have options when verifying certificate revocation. You can use a static list or you can verify revocations dynamically over the HTTP protocol. You have four ways to handle revoked certificates.

  • You can instruct IKEv1 to ignore CRLs or OCSP whose uniform resource indicator (URI) is embedded in the certificate. This option is shown in Step 5.

  • You can instruct IKEv1 to access the CRLs or OCSP from a URI whose address is embedded in the public key certificate from the CA.

  • You can instruct IKEv1 to access the CRLs from an LDAP server whose DN (directory name) entry is embedded in the public key certificate from the CA.

  • You can provide the CRL as an argument to the ikecert certrldb command. For an example, see Example 36, Pasting a CRL Into the Local certrldb Database for IKEv1.

Before You Begin

You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Display the certificate that you received from the CA.

    For information about the arguments to the ikecert certdb command, see the ikecert(8) man page.

    For example, the following certificate was issued by a company's PKI. Details have been altered.

    # ikecert certdb -lv cert-protect.example.com
    Certificate Slot Name: 0   Type: dsa-sha256
       (Private key in certlocal slot )
     Subject Name: <O=Example, CN=cert-protect.example.com>
     Issuer Name: <CN=ExampleCo CO (Cl B), O=Example>
     SerialNumber: 14000D93
       Validity:
          Not Valid Before: 2013 Sep 19th, 21:11:11 GMT
          Not Valid After:  2017 Sep 18th, 21:11:11 GMT
       Public Key Info:
          Public Modulus  (n) (2048 bits): C575A...A5
          Public Exponent (e) (  24 bits): 010001
       Extensions:
          Subject Alternative Names:
                  DNS = cert-protect.example.com
          Key Usage: DigitalSignature KeyEncipherment
          [CRITICAL]
       CRL Distribution Points:
          Full Name:
             URI = #Ihttp://www.example.com/pki/pkismica.crl#i
             DN = <CN=ExampleCo CO (Cl B), O=Example>
          CRL Issuer: 
          Authority Key ID:
          Key ID:              4F ... 6B
          SubjectKeyID:        A5 ... FD
          Certificate Policies
          Authority Information Access

      Notice the CRL Distribution Points entry.

    • The URI entry indicates that this organization's CRL is available on the web.

    • The DN entry indicates that the CRL is available on an LDAP server. Once accessed by IKE, the CRL is cached for further use.

    To access the CRL, you need to reach a distribution point.

  2. Choose one of the following methods to access the CRL from a central distribution point.
    • Use the URI.

      Add the keyword use_http to the host's /etc/inet/ike/config file. For example, the ike/config file would appear similar to the following:

      # Use CRL or OCSP from organization's URI
      use_http
      ...
    • Use a web proxy.

      Add the keyword proxy to the ike/config file. The proxy keyword takes a URL as an argument, as in the following:

      # Use web proxy to reach CRLs or OCSP
      proxy "http://proxy1:8080"
    • Use an LDAP server.

      Name the LDAP server as an argument to the ldap-list keyword in the host's /etc/inet/ike/config file. Your organization provides the name of the LDAP server. The entry in the ike/config file would appear similar to the following:

      # Use CRL from organization's LDAP
      ldap-list "ldap1.example.com:389,ldap2.example.com"
      ...

    IKE retrieves the CRL and caches the CRL until the certificate expires.

Example 36  Pasting a CRL Into the Local certrldb Database for IKEv1

If the CA's CRL is not available from a central distribution point, you can add the CRL manually to the local certrldb database. Follow the CA's instructions for extracting the CRL into a file, then add the CRL to the database with the ikecert certrldb -a command.

# ikecert certrldb -a < ExampleCo.Cert.CRL