beautypg.com

Configuring crl servers – Panasonic NN46110-600 User Manual

Page 97

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

background image

Chapter 3 Using certificates 87

The VPN Router can optionally use CRLs to verify the revocation status of user
certificates. If enabled on the VPN Router, CRLs are periodically retrieved from

the CA's LDAP directory store and cached in the VPN Router's associated LDAP

database. This allows for rapid verification of user certificates during IPsec tunnel
establishment. You can configure the frequency with which the VPN Router
checks for a new CRL.

Because a CRL is signed using the CA's private key, it is protected against

tampering. The VPN Router verifies the CRL signature each time it is used. You

must configure a CRL server for each trusted CA certificate that is imported into

the VPN Router.

Note:

The LDAP server that contains CRLs for the CA certificates on

the VPN Router must be reachable from the public or private interface.

Configuring CRL servers

The following list provides explanations for CRL settings:

CRL Checking Enabled shows CRL usage enabled on the VPN Router on a

per-CA basis. To enable CRLs for a CA, click

Details

on the System >

Certificates window. You use the Certificate Revocation List Information

section to configure the necessary information. Click

Enabled

to turn on CRL

checking of certificates for the particular CA. You must set the Search Base,
Host, Connection, and Update frequency values for proper access to the CRL

LDAP directory store.

CRL Retrieval Enabled determines whether the VPN Router tries to retrieve a
CRL from the configured directory. If the CRL retrieval is successful, the
VPN Router verifies the revocation status of the presented certificates. The
VPN Router sends out a trap to the SNMP management server on every

instance of CRL retrieval (success or failure). If this option is not selected, the

VPN Router does not attempt to retrieve a CRL, and does not verify

revocation status of presented certificates. Deselecting this option turns off

CRL checking. To enable CRL Retrieval, click

Enable

for CRL Retrieval on

the Servers > SNMP Traps > Trap Groups Server > Configure window. If the

VPN Router is rebooted or makes a failed CRL retrival, then the CRL retrival
option on the VPN Router becomes unchecked.

Nortel VPN Router Security — Servers, Authentication, and Certificates

See also other documents in the category Panasonic Routers: