Amer Networks E5Web GUI User Manual

which the certificate is valid. When this validity period expires, the certificate can no longer be
used and a new certificate must be issued.

Important: The system date and time must be correct

Make sure the cOS Core system date and time are set correctly when using certificates.
Problems with certificates, for example in VPN tunnel establishment, can be due to an
incorrect system date or time.

The cOS Core Certificate Cache

cOS Core maintains a Certificate Cache in local memory which provides processing speed
enhancement when certificates are being repeatedly accessed. This cache is only completely
cleared and initialized when cOS Core is restarted.

For this reason, it is important to restart cOS Core if any certificates are added, modified or
deleted. This can be done with the CLI command:

Device:/> shutdown

Certificate Revocation Lists (CRLs)

A Certificate Revocation List (CRL) contains a list of all certificates that have been canceled before
their expiration date. They are normally held on an external server which is accessed to
determine if the certificate is still valid. The ability to validate a user certificate in this way is a key
reason why certificate security simplifies the administration of large user communities.

CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP
protocols. Revocation can happen for several reasons. One reason could be that the keys of the
certificate have been compromised in some way, or perhaps that the owner of the certificate has
lost the rights to authenticate using that certificate, perhaps because they have left the
company. Whatever the reason, server CRLs can be updated to change the validity of one or
many certificates.

Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from
where the CRL can be downloaded. In some cases, certificates do not contain this field and the
location of the CRL has to be configured manually.

A CA usually updates its CRL at a given interval. The length of this interval depends on how the
CA is configured. Typically, this is somewhere between an hour to several days.

For cOS Core to check the CRL for a given certificate it may need access to an external CA server.
Allowing this access is discussed in detail in Section 9.7, “CA Server Access”.

Trusting Certificates

When using certificates, cOS Core trusts anyone whose certificate is signed by a given CA. Before
a certificate is accepted, the following steps are taken to verify the validity of the certificate:

•

Construct a certification path up to the trusted root CA.

•

Verify the signatures of all certificates in the certification path.

•

Fetch the CRL for each certificate to verify that none of the certificates have been revoked.

Chapter 3: Fundamentals

225