Automatic crl retrieval – Nortel Networks NN46120-104 User Manual

120

Certificates and Client Authentication

Or, for a CRL in hexadecimal format, list the serial numbers
by their hexadecimal values below the HEX ASCII revocation
paragraph. For example:

# CRL for CA certificate 1

# Issued first: 2005-01-01

# Last update: 2005-02-01

HEX ASCII revocation

1F4

1F5

24E

4

Save the file, and upload it to a TFTP/FTP/SCP/SFTP server
that can be accessed from your VPN Gateway(s).

--End--

Automatic CRL Retrieval

Automatic CRL retrieval is used for configuring access to a server
containing CRLs (certificate revocation lists), and retrieving such lists at
regular intervals to automate the task of keeping the CRL up-to-date.

Note:

When enabling automatic retrieval of certificate revocation lists,

any existing revocation list is overwritten.

You can use LDAP, HTTP, or TFTP to retrieve CRLs from the appropriate
server (for LDAP, the server must support LDAP v3). When using LDAP,
a bind operation to the specified LDAP server is performed each time a
CRL retrieval occurs. The bind operation uses the specified distinguished
name and password. Directly after a successful bind operation, a search
for the CRL attribute specified in the URL is performed on the LDAP
server. For more information about the implementation details behind
these operations, see RFC 2251.

Step

Action

1

Specify the URL from which the CRL list should be

retrieved.

This step sets the complete URL for retrieving a CRL using
LDAP, HTTP, or TFTP. If you are not using the default TCP port
of the respective protocol, the TCP port number must also be
included in the URL.

If you want to retrieve CRLs from an LDAP server, you need
to provide the distinguished name of the specific object on the
LDAP server, together with the attribute that holds the CRL (all in

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.