Nortel 4134 Guia Do Utilizador
Configuring OCSP
173
Requesting a CRL from the CA
Request the Certificate revocation list (CRL) from the CA.
If you have configured the LDAP client parameters (
crl query
<url-with-ldap://>
) the LDAP client is used to obtain the CRL. The
LDAP client supports periodic downloads of the CRL using the “next update”
time as specified by the CA in the CRL.
time as specified by the CA in the CRL.
If the LDAP client parameters are not configured, and the SCEP URL is
configured, the CRL is obtained using the SCEP client. However, the SCEP
client does not support the periodic download of CRLs.
configured, the CRL is obtained using the SCEP client. However, the SCEP
client does not support the periodic download of CRLs.
If the enrollment mode is set to terminal, the system prompts you to paste
the obtained CRL.
the obtained CRL.
Procedure steps
Step
Action
1
To enter the configuration mode, enter:
configure terminal
2
To specify crypto configuration for IPsec and IKE, enter:
crypto
3
To specify the CRL configuration, enter:
ca crl
4
To request the CRL from the CA, enter:
request <ca-server-name>
—End—
Configuring OCSP
Configure OCSP parameters. This specifies the URL of an OCSP server so
that certificate status can be verified in real time during the IKE negotiation.
To enable OCSP for a particular policy, you must use the
that certificate status can be verified in real time during the IKE negotiation.
To enable OCSP for a particular policy, you must use the
ike policy
ocsp
command.
Procedure steps
Step
Action
1
To enter the configuration mode, enter:
configure terminal
2
To specify crypto configuration for IPsec and IKE, enter:
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.