Enabling crl checking – Avaya 3.7 User Manual

Configuring VPN objects

156 Avaya VPNmanager Configuration Guide Release 3.7

Enabling CRL checking

For certificate-based VPNs using IKE negotiation, a security gateway must verify the other
certificate of the VSU. When Certification Revocation List (CRL) Checking is enabled, the VSU
validates the certificate revocation list downloaded from the VPNmanager using the Certificate
Authority (CA) certificate. The VSU checks the certificate against the validated CRL. If the CRL
locates a revoked certificate, the IKE negotiation is cancelled.

To manually install a CRL into Directory Server from the CA’s LDAP server:

1. From the CA’s LDAP server, obtain the CRL that is associated with your installed issuer

certificate.

2. Save the CRL as crl content.txt.

3. Open the crl content.txt file to extract the necessary CRL information.

4. To extract the necessary CRL information, open the crl content.txt file.

5. Locate the dn header with the organization unit (ou) that corresponds to the CRL. For

example, dn: ou=vpnet VSU, o=Avaya Inc., c=US

6. Locate the paragraphs starting with cacertificate;binary and

certificaterevocationlist;binary.

7. For example,

cacertificate;binary

::MIICKzCCAZSgAwIBAgIQRTP4LaWmlSRKYLv86Cphk

.

.

.

ygPDgMZlQq4oQoNyy26HRAV0yJ==

certificaterevocationlist;binary

::MIIC2zCCAkQwDQYJKoZIhvcNAQEEBQAw

8. Copy the cacertification;binary and certificaterevocationlist;binary paragraphs to a

new file.

9. Save the new CRL as crl.ldif.

10. Add a certificate dn header to the crl.idif file. Use the following dn header format:

Note:

Note:

dn: cacertificate=IssuerCRL, ou=VPN Domain, o=DNS Domain
objectclass: certificationAuthority

Note:

Note:

dn specifies where the CRL file is filed.