SteelHeadā„¢ Deployment Guide - Protocols : Configuring SCEP and Managing CRLs : Managing Certificate Revocation Lists
  
Managing Certificate Revocation Lists
Certificate Revocation Lists allow CAs to revoke issued certificates (for example, when the private key of the certificate is compromised).
CRLs are not used by default in the SteelHead.
A CRL is a database that contains a list of digital certificates that have been invalidated before their expiration date, including the reasons for the revocation, and the names of the issuing certificate signing authorities. The CRL is issued by the CA that issues the corresponding certificates. All CRLs have a lifetime during which they are valid (often 24 hours or less).
CRLs are used when a:
  • server-side SteelHead verifies the certificate presented by the server in the SSL handshake between the server-side SteelHead and the server.
  • server-side SteelHead verifies the certificate presented by the client-side SteelHead in the handshake between the two SteelHeads for establishing a secure inner channel over the WAN.
  • client-side SteelHead verifies the certificate presented by the server-side SteelHead in the handshake between the two SteelHeads for establishing a secure inner channel over the WAN.
  • Currently, the SteelHead only supports downloading CRLs from Lightweight Directory Access Protocol (LDAP) servers.
    The following table summarizes CRL CLI management commands.
    CRL Commands
    Parameters
     
    Definition
    protocol ssl crl ca
     
     
    Configures CRL for automatically discovered CAs. You can update automatically discovered CRLs using this command.
    <ca-name>
     
    Specify the name of an SSL CA certificate.
    cdp <integer>
     
    Specify an integer index of a Cisco Distribution Point (CDP) in a CA certificate.
    The no protocol ssl crl ca * cdp * command option removes the update.
     
    ldap server {<ip-address> | <hostname>}
    Specify the LDAP server IP address or hostname to modify a CDP URI.
    port <port>
    Optionally, specify the LDAP service port.
    crl-attr-name <attr-name>
    Optionally, specify the attribute name of CRL in a LDAP entry.
    protocol ssl crl cas enable
     
     
    Enables CRL polling and use of CRL in handshake verifications of CA certificates. Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the certificate is compromised, the CA can issue a CRL that revokes the certificate.
    protocol ssl crl handshake
     
     
    Configures handshake behavior for a CRL.
     
    fail-if-missing
     
    If a relevant CRL cannot be found the handshake fails.
    [no] protocol ssl crl manual
    ca
     
    Specify the CA name to manually configure the CDP.
    The no protocol ssl crl manual command removes manually configured CDPs.
    uri <uri>
    Specify the complete CDP URI to manually configure the CDP for the CA.
    peering ca
     
    Specify the CA name to manually configure the CDP for the peering CA.
    uri <uri>
    Specify the complete CDP URI to manually configure the CDP for the peering CA.
    protocol ssl crl peering
    ca <ca-name>
     
    Configures a CRL for an automatically discovered peering CA.
    cdp <integer>
    Specify an integer index of a cdp in a peering CA certificate.
    The no protocol ssl crl peering ca * cdp * command removes the update.
    ldap server {<ip-address> | <hostname>}
    Specify the IP address or hostname of a LDAP server.
    crl-attr-name {<string> | port <port-number>}
    Optionally, specify an attribute name of CRL in a LDAP entry.
    port <port-number>
    Optionally, specify the LDAP service port.
    cas enable
     
    Enables CRL polling and use of CRL in handshake verification.
    protocol ssl crl query-now
    ca <string> cdp <integer>
     
    Download CRL issued by SSL CA. Specify the CA name and CDP integer.
    peering ca <ca-name> cdp <integer>
     
    Download CRL issued by SSL peering CA. Specify the CA name and CDP integer.
    show protocol ssl crl
    ca <ca-name>
     
    Display current state of CRL polling of a CA.
    crl cas <cr> | crl-file <string> text
     
    Display the CRL in text format version.
    crl peering ca <ca-name> | cas crl-file <string> text
     
    Display current state of CRL polling for peering
    crl report ca <ca-name> | peering ca <peering ca name>
     
    Display reports of CRL polling from the CA or display reports of CRL polling from peering CA.
    Managing CRLs
    This section describes how to manage CRLs using the CLI.
    To update an incomplete CDP
    To enable CRL polling and handshakes, connect to the SteelHead CLI and enter configuration mode.
    Enter the following set commands:
    protocol ssl crl cas enable
    protocol ssl crl peering cas enable
     
    To view the CRL polling status of all CAs, enter the following command:
    show protocol ssl crl ca cas
    <<this example lists two CDPs: one complete CDP and one incomplete CDP>>
    CA: Comodo_Trusted_Services
    CDP Index: 1
    DP Name 1: URI:http://crl.comodoca.com/TrustedCertificateServices.crl
    Last Query Status: unavailable
    CDP Index: 2
    DP Name 1: URI:http://crl.comodo.net/TrustedCertificateServices.crl
    Last Query Status: unavailable
    <<an incomplete CDP is indicated by the DirName format>>
    CA: Entrust_Client
    CDP Index: 1
    DP Name 1: DirName:/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by
    ref.limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client Certification Authority
    CN=CRL1
    Last Query Status: unavailable
    CDP Index: 2
    DP Name 1: URI:http://www.entrust.net/CRL/Client1.crl
    Last Query Status: unavailable
    In this case, the Entrust Client is an incomplete CDP as indicated by DirName format. Currently, the SteelHead only supports updates in the DirName format.
    To update the incomplete CDP URI, enter the following commands:
    protocol ssl crl ca Entrust_Client cdp 1 ldap-server 192.168.172.1
    protocol ssl crl peering ca Entrust_Client cdp 1 ldap-server 192.168.172.1
    To view the status of the updated CDP, enter the following command:
    show protocol ssl crl ca Entrust_Client
    The status of CRL polling can be either pending, success, or error.
    To check CRL polling status of all CAs, enter the following command:
    show protocol ssl crl cas
    Viewing CRL Alarm Status
    This section describes how to view a CRL alarm and how to clear a CRL alarm.
    To view CRL alarm status
    Connect to the SteelHead CLI and enter enable mode.
    Enter the following the command:
    show stats alarm crl_error
    Alarm crl_error:
    Enabled: yes
    Alarm state: ok
    Rising error threshold: 1
    Rising clear threshold: 1
    Falling error threshold: no
    Falling clear threshold: no
    Rate limit bucket counts: { 5, 20, 50 }
    Rate limit bucket windows: { 3600, 86400, 604800 }
    Last checked at: 2009/07/30 17:40:34
    Last checked value: 0
    Last event at:
    Last rising error at:
    Last rising clear at:
    Last falling error at:
    Last falling clear at:
    To clear a CRL alarm, you must either rectify the problem by updating the incomplete CDP or you must disable CRL polling.
    To disable CRL polling and clear a CRL alarm
    Connect to the SteelHead CLI and enter configuration mode.
    Enter the following the command:
    no protocol ssl crl cas enable