Cisco Cisco Packet Data Interworking Function (PDIF)
IPSec Certificates
CRL Fetching ▀
IPSec Reference, StarOS Release 17 ▄
129
CRL Fetching
Overview
CRLs (Certificate Revocation Lists) are issued periodically by the CA. This list contains the serial number of all the
certificates that are revoked. An operator can verify the status of a certificate using a CRL. A CRL can be fetched via
LDAPv3 from a CRL issuer (Trusted by CA).
certificates that are revoked. An operator can verify the status of a certificate using a CRL. A CRL can be fetched via
LDAPv3 from a CRL issuer (Trusted by CA).
When configured, this function also re-fetches the CRL once it expires in the cache. If the CRL is obtained from a CRL
Distribution Point (CDP), StarOS defers the CRL fetch until the tunnel is established.
Distribution Point (CDP), StarOS defers the CRL fetch until the tunnel is established.
The CDP extension is read from the certificate for all protocols including HTTP, FTP, LDAPv3 and.CDP File.
StarOS initiates a CRL download in the following scenarios:
User configuration via the CLI binds the CRL to a crypto map or template.
During tunnel establishment:
The self-certificate CDP extension is used to download its latest CRL.
The CDP extension in the peer certificate is used to download its latest CRL.
If the CRL (downloaded via CLI) expires during the refresh period (user configurable) a new fetch is triggered.
If the CRL is obtained from the CDP extension, the fetch is deferred until tunnel establishment using the
certificate.
certificate.