beautypg.com

Managing revocation of client certificates – Nortel Networks NN46120-104 User Manual

Page 116

background image

116

Certificates and Client Authentication

Managing Revocation of Client Certificates

Certificate revocation lists (CRLs) are maintained by certificate authorities
to recall client certificates that are no longer considered trustworthy. The
reasons for this can be that the client certificate may have been issued by
mistake, or that the subject accidentally has revealed the private key.

By keeping a certificate revocation list on your SSL server, client
certificates sent to the server are checked against the CRL. If a match is
found, the SSL session is terminated. This mode of operation requires,
first of all, that you have configured the virtual SSL server to always
require client certificates. (For more information, see

“Configure a Virtual

SSL Server to Require a Client Certificate” (page 108)

). You must also

regularly check with the certificate authorities you trust for their latest
CRLs.

Moreover, if you take on the role of a certificate authority by issuing your
own client certificates, you will also need to maintain your own certificate
revocation lists. This can be done by listing the serial numbers of the client
certificates you want to revoke in an ASCII file. You may also specify the
serial number of a particular client certificate directly in the command line
interface by using the add command in the Revocation menu.

Revoking Client Certificates Issued by an External CA

Step

Action

1

Specify the CA certificate, to which you want to add a CRL.

The certificate you specify must be a CA certificate from the
same certificate authority that published the CRL you are about
to add. To view basic information about available certificates,
use the

/info/certs

command.

>> Main# cfg/cert

Enter certificate number:

(1-) 1

(example)

>> Certificate 1# revoke

2

Download and add a CRL from a TFTP/FTP/SCP/SFTP
server.

Specify the host name or IP address of the TFTP/FTP/SCP/S
FTP server, and provide the file name of the CRL. The CRL is
retrieved and added to Certificate 1 (used as an example).

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.