crl load

Function

The crl load command loads the CRL for the SSL policy.

The undo crl load command unloads the SSL policy CRL.

By default, the SSL policy CRL is not loaded.

Format

crl load { pem-crl | asn1-crl } crl-filename

undo crl load { pem-crl | asn1-crl } crl-filename

Parameters

Parameter	Description	Value
pem-crl	Loads the CRL in the PEM format for the SSL policy.	-
asn1-crl	Loads the CRL in the ASN1 format for the SSL policy.	-
crl-filename	Specifies the name of a CRL. The file is in the subdirectory of the system directory security. If the security directory does not exist in the system, create this directory.	The value is a string of 1 to 64 case-insensitive characters without spaces. The file name is the same as that of the uploaded file.

Parameter

Description

Value

pem-crl

Loads the CRL in the PEM format for the SSL policy.

asn1-crl

Loads the CRL in the ASN1 format for the SSL policy.

crl-filename

Specifies the name of a CRL.

The file is in the subdirectory of the system directory security. If the security directory does not exist in the system, create this directory.

The value is a string of 1 to 64 case-insensitive characters without spaces.

The file name is the same as that of the uploaded file.

Views

SSL policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The CA can shorten the validity period of a certificate using a CRL. The CA releases the CRL that specifies a set of invalid certificates. If the CA revokes a certificate in the CRL, the declaration about authorized key pair is revoked before the certificate expires. When the certificate expires, data related to the certificate is cleared from the CRL.

If the certificate key is disclosed or if you need to revoke a certificate due to other reasons, use a third-party tool to revoke released certificates and mark them as invalid, generating a CRL.

Prerequisites

Before running the crl load command, you have run the ssl policy command to create the SSL policy in the system view.

Precautions

When you load the CRL on the FTPS client and access the FTPS server on the FTPS client, the FTPS server checks whether the certificate is declared in the CRL. If the certificate has been declared, the FTPS client and server disconnects.
A maximum of two CRL files can be loaded in an SSL policy. For the sake of security, deleting the installed CRL file is not recommended; otherwise, services using the SSL policy will be affected.

Example

# Load the CRL in the PEM format for the SSL policy.

<HUAWEI> system-view

[HUAWEI] ssl policy ftp_server

[HUAWEI-ssl-policy-ftp_server] crl load pem-crl server.pem

# Load the CRL in the ASN1 format for the SSL policy.

<HUAWEI> system-view

[HUAWEI] ssl policy ftp_server

[HUAWEI-ssl-policy-ftp_server] crl load asn1-crl server.der