CRL

Certificate revocation refers to that the CA revokes a certificate when the certificate expires or becomes invalid. A local certificate may be revoked in the following conditions:

• Change of user information.
• Disclosure of the user private key.
• Disclosure of the CA private key
• The local certificate expires and the device needs a new one.
• The security policy is changed, which poses a new requirement (a longer/shorter key) on the signature function. Therefore, a new public/private key pair, a new signature, and a new local certificate are required.

When receiving the peer's certificate, the device needs to check whether the certificate is revoked by the CA. To ensure the validity of the peer's certificate, the most convenient way is to download the latest certificate from the peer and CA during each authentication. This method, however, is system-resource-consuming, and re-authentication delay may result in re-establishing the connection, which affects the communications between devices.

The problem can be solved in the following methods:

• The CA saves the serial numbers of revoked certificates to the Certificate Revocation List (CRL).
• The device caches the peer's certificate to the local and periodically downloads the CRL from the CA.
• Since the peer' certificate is saved in the cache, to authenticate the peer, the device only needs to match the serial number of the certificate with that in the CRL. If the serial number is matched, the peer' certificate is revoked. In this case, the device requests the peer or CA for a certificate again. If the serial number is not matched, the peer's certificate is valid. Therefore, the certificate saved in the local cache can be used.

The device can update the CRL in the following methods:

• Automatic update

  The device communicates with the CRL server through HTTP or LDAP, periodically sends update requests to the CRL server, and automatically downloads the CRL from the server.

• Manual update

  The CRL can be downloaded from the CRL server through the manual execution of commands on the device.