protocol ssl crl ca
Configures Certificate Revocation Lists (CRLs) for an automatically discovered CAs. You can update automatically discovered CRLs using this command.
Syntax
[no] protocol ssl crl ca <ca-name> cdp <integer> ldap-server <ip-address or hostname> [crl-attr-name <attr-name>] [port <port>]
Parameters
<ca-name> | Name of an SSL CA certificate. |
cdp <integer> | Specifies an integer index. Index of a CRL Certificate Distribution Point (CDP) in a CA certificate. The no protocol ssl crl ca <ca-name> cdp <integer> command removes the update. |
ldap-server <ip-address> | Specifies the Lightweight Directory Access Protocol (LDAP) server IP address to modify a CDP URI. |
ldap-server <ip-address or hostname> | Specifies the LDAP server hostname to modify a CDP URI. |
crl-attr-name <attr-name> | Specifies the attribute name of CRL in an LDAP entry. |
port <port> | Specifies the LDAP service port. |
Usage
Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the certificate has been compromised, the CA can issue a CRL that revokes the certificate.
A CRL includes any digital certificates that have been invalidated before their expiration date, including the reasons for their revocation and the names of the issuing certificate signing authorities. A CRL prevents the use of digital certificates and signatures that have been compromised. The certificate authorities that issue the original certificates create and maintain the CRLs.
To clear the CRL alarm, execute the no stats alarm crl_error enable command.
Example
amnesiac (config) # protocol ssl crl ca Go_Daddy_Class_2 cdp 512 ldap-server 192.168.172.1
Product
SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c
Related Commands