Configuring CRL management

About SSL and Secure Inner Channels : Configuring CRL management

You configure CRL management on the server-side SteelHead under Optimization > SSL: CRL Management. RiOS provides a way to configure Certificate Revocation Lists (CRLs) for an automatically discovered CA using the Management Console. CRLs allow CAs to revoke issued certificates (for example, when the private key of the certificate has been compromised). By default, CRLs are not used in Riverbed appliances.

A CRL is a database that contains a list of digital certificates invalidated before their expiration date, including the reasons for the revocation and the names of the issuing certificate signing authorities. The CRL is issued by the CA, which issues the corresponding certificates. All CRLs have a lifetime during which they are valid (often 24 hours or less).

CRLs are used when a:

• server-side SteelHead appliance verifies the certificate presented by the server in the SSL handshake between the server-side SteelHead appliance and the server.

• server-side SteelHead appliance verifies the certificate presented by the client-side appliance in the handshake between the two SteelHead appliances for establishing a secure inner channel over the WAN.

• client-side appliance verifies the certificate presented by the server-side SteelHead appliance in the handshake between the two appliances for establishing a secure inner channel over the WAN.

The two types of CAs issuing CRLs are:

• conventional CAs, which are listed in the Certificate Authorities page.

• peering CAs, which are listed in the Trusted Entities list in the Secure Peering page.

You configure each type of CA separately.

Currently, Riverbed appliances only support downloading CRLs from Lightweight Directory Access Protocol (LDAP) servers.

Under CRL Settings, these configuration options are available:

Enable Automatic CRL Polling for CAs

Enables CRL polling and use of a CRL in handshake verifications of CA certificates. Currently, the SteelHead only supports downloading CRLs from Lightweight Directory Access Protocol (LDAP) servers.

Enable Automatic CRL Polling for Peering CAs

Configures a CRL for an automatically discovered peering CA.

Fail Handshakes If A Relevant CRL Cannot Be Found

Configures handshake behavior for a CRL. The handshake verification fails if a relevant CRL for either a peering or server certificate can’t be found.