Configuring the CRL Function

Configuring the CRL function consists of enabling CRL check and updating the CRL. After the CRL function is configured, a device checks the validity of the peer device's certificate. If the serial number of the peer device's certificate is listed in the CRL, the peer device's certificate has been revoked and is considered invalid.

Prerequisites

Before setting automatic CRL update, verify functions to ensure that the network and server are normal.

Context

Before configuring the CRL function, be aware of the following information:

Enable CRL check.

Before configuring CRL, enable CRL check.

When a certificate is being verified after CRL check is enabled, the CRL is queried for checking whether it contains the serial number of the certificate. If the CRL contains the serial number of the certificate, the certificate has been revoked and considered invalid. For details about how to verify the certificate validity, see Verifying the Certificates.
Update the CRL.

To ensure that the latest CRL is used, check the CRL status periodically and download the latest CRL from the CRL server using HTTP or LDAP.

Updating the CRL consists of automatically updating the CRL and manually updating the CRL. Automatically updating the CRL can be implemented using HTTP or LDAP. After the specified interval elapses, the system automatically downloads the CRL using HTTP or LDAP. When the latest CRL is urgently required, manually update the CRL by downloading the CRL from the CRL server.

Procedure

Enable CRL check.
1. Run the system-view command to enter the system view.
2. Run the pki crl check enable command to enable CRL check.
Update the CRL.
When the system is configured to automatically update the CRL using HTTP or LDAP, note the following:
- There is sufficient space in the CF card for the CRL file.
Perform the following operations as needed.
- Enable the function of automatically updating the CRL using HTTP.
  1. Run the system-view command to enter the system view.
  2. Run the pki domain domain-name command to enter the PKI domain name configuration view.
  3. Run the crl auto-update enable command to enable automatic CRL update.
  4. Run the crl update-period interval command to set an interval between two consecutive automatic CRL updates.
  5. Run the crl http command to enable the function of automatically updating the CRL using HTTP.
  6. Run the crl url url-addr [ source source-ip-address ] [ vpn-instance vpn-instance-name ] command to configure the URL of the CRL distribution point (CDP).
    
    This command can be executed only after the crl http command is run.
  7. Run the commit command to commit the configuration.
- Enable the function of automatically updating the CRL using LDAP.
  1. Run the system-view command to enter the system view.
  2. Run the pki domain domain-name command to enter the PKI domain name configuration view.
  3. Run the crl auto-update enable command to enable automatic CRL update.
  4. Run the crl update-period interval command to set an interval between two consecutive automatic CRL updates.
  5. Run the crl ldap command to enable the function of automatically updating the CRL using LDAP.
  6. Run the ldap-server { authentication ldap-dn ldap-password | ip ldap-ip-address [ vpn-instance vpn-instance-name ] [ source source-ip-address ] { [ port port ] | [ version version ] } ^* } command to configure the LDAP server.
    
    This command can be executed only after the crl ldap command is run.
  7. Run the crl ldap [ attribute attr-value ] dn dn-value command to configure the attributes and identifier used to obtain the CRL from the LDAP server.
    
    This command can be executed only after the crl ldap command is run.
  8. Run the commit command to commit the configuration.
- Manually update the CRL.
  1. Download a CRL. Perform the following operations as needed.
    
    Run the system-view command to enter the system view.
    
    Run the pki http url-addr [ vpn-instance vpn-instance-name ] save-name [ source source-ip-address ] command to download the CRL through HTTP.
    
    Run the pki ldap ip ldap-ip-address [ vpn-instance vpn-instance-name ] [ source source-ip-address ] port port version version [ attribute attr-value ] [ authentication ldap-dn ldap-password ] save-name dn dn-value command to download the CRL through LDAP.
  2. Run the pki import-certificate crl [ domain domainName ] filename file-name command to import the CRL.