beautypg.com

Configuring a certificate revocation list (crl) – Panasonic NN46110-600 User Manual

Page 96

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

background image

86 Chapter 3 Using certificates

There are no user tunnel or VPN Router server authentication issues presented at

this point, because the certificates presented by the VPN Router and the user are

signed by the original CA, and both parties have that CA certificate stored locally

for authentication.

Authenticating the CRL presents a problem for the VPN Router at this point

because it is signed by the updated CA certificate, and the VPN Router does not

have that updated CA certificate locally to authenticate the CRL signature. The

solution is to import the updated CA certificate into the VPN Router.

Importing the updated CA certificate into the VPN Router must be done

immediately following the CA key update. All post key update CRL processing

and therefore tunnel authentication, fail until this action is taken.

Configuring a certificate revocation list (CRL)

A CA can revoke user and server certificates whenever the associated key pair is
no longer valid, the key pair has been compromised, the user has left the
organization, or a server is retired. When a certificate is revoked, the CA updates

an associated revocation list with the revoked certificate’s serial number. This list

is referred to as a certificate revocation list (CRL). A CA can have one or more

associated CRLs.

Note: When you try to delete a certificate and that certificate is
referenced, you receive an error message. The certificate is not removed
until you remove all references to that certificate.

The CA publishes CRLs in an associated LDAP-accessible directory service. The
CA administrator sets the publication frequency. In an Entrust environment, a new
CRL is automatically published at a set time, at any time manually set by an

administrator, or whenever a certificate is revoked.

Note: When a certificate revocation list (CRL) directory is located on
the public side of the VPN Router, the VPN Router retrieves the CRLs
through the public interface. Reply packets are dropped if the size of the

CRL is large enough that the LDAP response includes 40 IP packets or
more. To correct this, enable the Stateful Firewall.

NN46110-600

See also other documents in the category Panasonic Routers: