- Administrative Security Guide
- Configuring IKEv2 Interfaces
- Certificate Revocation Lists
- CRL-Based Certificate Verification
- Configure CRL Certificate Verification
Configure CRL Certificate Verification
The cert-status-profile element is a container for the information required to access a specific CRL source.
- Access the
cert-status-profile
configuration element.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# cert-status-profile ORACLE(cert-status-profile)#
- name—Provide a unique name for this profile.
- type—Select the
certificate revocation check method.
Available values are:
- OCSP
- CRL
- Specify either the
IP address or the hostname of the CRL source.
- ip-address—Specify the IP address of the CRL source.
- host-name—Specify the hostname of the CRL source
Note:
If values are provided for both attributes, the OCSBC uses the IP address and ignores the host-name value. -
crl-list—Specify the
source filepath(s) to one or more requested CRLs.
For example:
ORACLE(cert-status-profile)# crl-list /crl/v2/tc_class_3_ca_II.crl
- realm-id—Specifies
the realm used to request and receive CRLs.
In the absence of an explicitly configured value, the OCSBC provides a default value of wancom0, specifying CRL-related transmissions across the wancom0 management interface.
Note:
If the CRL source is identified by its FQDN, the realm identified by realm-id must be DNS-enabled. - responder-cert—Identify
the certificate used to validate the received CRL (the public key of the CRL
source).
Provide the name of the certificate configuration element that contains the certificate used to validate the signed CRL.
- retry-count—Specify
the maximum number of times to retry an CRL source in the event of connection
failure.
The default is 1.
- Min: 0
- Max: 10
- dead-time—Specify
the quarantine period imposed on an unavailable CRL source.
The default is 0.
- Min: 0
- Max: 3600
- crl-update-interval—Specify
the interim in seconds between CRL updates.
The default is 86400.
- Min: 600
- Max: 2600000
CRLs are stored in the /code/crls directory. Outdated, invalid CRLs are over-written with the each newly-obtained current CRL.
- Type done to save your configuration.
- If necessary, configure additional cert-status-profile configuration elements.