Avaya 3.7 User Manual

For certificate-based VPNs using IKE negotiation, a security gateway must verify the other 
certificate of the VSU. When Certification Revocation List (CRL) Checking is enabled, the VSU 
validates the certificate revocation list downloaded from the VPNmanager using the Certificate 
Authority (CA) certificate. The VSU checks the certificate against the validated CRL. If the CRL 
locates a revoked certificate, the IKE negotiation is cancelled.

To manually install a CRL into Directory Server from the CA’s LDAP server:

1. From the CA’s LDAP server, obtain the CRL that is associated with your installed issuer 

certificate.

2. Save the CRL as crl content.txt.

3. Open the crl content.txt file to extract the necessary CRL information.

4. To extract the necessary CRL information, open the crl content.txt file.

5. Locate the dn header with the organization unit (ou) that corresponds to the CRL. For 

example, dn: ou=vpnet VSU, o=Avaya Inc., c=US

6. Locate the paragraphs starting with cacertificate;binary and 

certificaterevocationlist;binary.

7. For example, 

::MIICKzCCAZSgAwIBAgIQRTP4LaWmlSRKYLv86Cphk

.

.

.

ygPDgMZlQq4oQoNyy26HRAV0yJ==

::MIIC2zCCAkQwDQYJKoZIhvcNAQEEBQAw

8. Copy the cacertification;binary and certificaterevocationlist;binary paragraphs to a 

new file.

9. Save the new CRL as crl.ldif.

10. Add a certificate dn header to the crl.idif file. Use the following dn header format:

Note:

dn: cacertificate=IssuerCRL, ou=VPN Domain, o=DNS Domain
objectclass: certificationAuthority 

Note:

dn specifies where the CRL file is filed.