CRL Management (SSL)
RiOS 6.5 and later provides a way to configure Certificate Revocation Lists (CRLs) for an automatically discovered CA using the Management Console. CRLs allow CAs to revoke issued certificates (for example, when the private key of the certificate has been compromised). By default, CRLs are not used in the appliance. For detailed information, see the SteelHead Management Console User’s Guide for SteelHead CX.
A CRL is a database that contains a list of digital certificates that have been invalidated before their expiration date, including the reasons for the revocation and the names of the issuing certificate signing authorities. The CRL is issued by the CA that issues the corresponding certificates. All CRLs have a lifetime during that they are valid (often 24 hours or less).
The two types of CAs issuing CRLs are:
• conventional CAs, that are listed in the Certificate Authorities page.
• peering CAs, that are listed in the Trusted Entities list in the Secure Peering page.
You configure each type of CA separately.
Under CRL Settings, complete the configuration as described in this table.
Control | Description |
Enable Automatic CRL Polling for CAs | Enables CRL polling and use of a CRL in handshake verifications of CA certificates. Currently, the SteelHead only supports downloading CRLs from Lightweight Directory Access Protocol (LDAP) servers. |
Enable Automatic CRL Polling For Peering CAs | Configures a CRL for an automatically discovered peering CA. |
Fail Handshakes If A Relevant CRL Cannot Be Found | Configures handshake behavior for a CRL. Fails the handshake verification if a relevant CRL for either a peering or server certificate cannot be found. |
Apply | Applies your settings. |