1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. Certificate Revocation Lists
  4. CRL-Based Certificate Verification
  5. Configure CRL Certificate Verification

Configure CRL Certificate Verification

The cert-status-profile element is a container for the information required to access a specific CRL source.

  1. Access the cert-status-profile configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#
  2. name—Provide a unique name for this profile.
  3. type—Select the certificate revocation check method.
    Available values are:
    • OCSP
    • CRL
  4. Specify either the IP address or the hostname of the CRL source.
    • ip-address—Specify the IP address of the CRL source.
    • host-name—Specify the hostname of the CRL source

    Note:

    If values are provided for both attributes, the OCSBC uses the IP address and ignores the host-name value.
  5. crl-list—Specify the source filepath(s) to one or more requested CRLs.
    For example: 
    ORACLE(cert-status-profile)# crl-list /crl/v2/tc_class_3_ca_II.crl
  6. realm-id—Specifies the realm used to request and receive CRLs.
    In the absence of an explicitly configured value, the OCSBC provides a default value of wancom0, specifying CRL-related transmissions across the wancom0 management interface.

    Note:

    If the CRL source is identified by its FQDN, the realm identified by realm-id must be DNS-enabled.
  7. responder-cert—Identify the certificate used to validate the received CRL (the public key of the CRL source).

    Provide the name of the certificate configuration element that contains the certificate used to validate the signed CRL.

  8. retry-count—Specify the maximum number of times to retry an CRL source in the event of connection failure.
    The default is 1.
    • Min: 0
    • Max: 10
  9. dead-time—Specify the quarantine period imposed on an unavailable CRL source.
    The default is 0.
    • Min: 0
    • Max: 3600
  10. crl-update-interval—Specify the interim in seconds between CRL updates.
    The default is 86400.
    • Min: 600
    • Max: 2600000

    CRLs are stored in the /code/crls directory. Outdated, invalid CRLs are over-written with the each newly-obtained current CRL.

  11. Type done to save your configuration.
  12. If necessary, configure additional cert-status-profile configuration elements.