Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
919293949596979899100
9-16
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
Chapter 9 Certificate Management
Administration | Certificate Management | Certificates | CRL
Administration | Certificate Management | Certificates | CRL
This screen lets you enable Certificate Revocation List (CRL) checking for CA certificates installed in
the VPN Concentrator.
A certificate is normally expected to be valid for its entire validity period. However, if a certificate
becomes invalid due to a name change, change of association between the subject and the CA, security
compromise, etc., the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically
issuing a signed Certificate Revocation List (CRL), where each revoked certificate is identified by its
serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate
for authentication, it also checks the latest CRL to ensure that the certificate has not been revoked.
CAs use LDAP databases to store and distribute CRLs. They might also use other means, but the VPN
Concentrator relies on LDAP access.
Since the system has to fetch and examine the CRL from a network distribution point, enabling CRL
checking might slow system response times. Also, if the network is slow or congested, CRL checking
might fail.
Many certificates include the location of the CRL distribution point. View the certificate to determine
its presence. If the CRL distribution point is present in the certificate in the proper format, you need not
configure any fields below the check box on this screen.
Figure 9-8 Administration | Certificate Management | Certificates | CRL Screen
Certificate
The certificate for which you are configuring CRL checking. This is the name in Subject field of
Certificate Authorities table on Administration | Certificate Management | Certificates screen.
Enable CRL Checking
Check the Enable CRL Checking checkbox to enable CRL checking on all certificates issued by this
CA under its root. The box is unchecked by default.
If this certificate does not include CRL Distribution Point information, you must configure the fields that
follow. Otherwise, ignore them. Contact the security administrator at the CA to get the proper entries for
these fields.