Understanding Certificate Revocation Lists

In the normal course of business, certificates are revoked for various reasons. You might wish to revoke a certificate if you suspect that it has been compromised, for example, or when a certificate holder leaves the company.

You can manage certificate revocations and validations in two ways:

• Locally— This is a limited solution.
• By referencing a Certificate Authority (CA) certificate revocation list (CRL). You can automatically access the CRL online at intervals you specify or at the default interval set by the CA.

In Phase 1 negotiations, participants check the CRL list to see if certificates received during an IKE exchange are still valid. If a CRL did not accompany a CA certificate and is not loaded on the device, the device tries to download it automatically from the CRL distribution point of the local certificate. If the device fails to connect to the URL in the certificate distribution point (CDP), it tries to retrieve the CRL from the URL configured in the CA profile.

If the certificate does not contain a certificate distribution point extension, and you cannot automatically retrieve the CRL through Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP), you can retrieve a CRL manually and load that in the device.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Certificates
• Example: Checking Certificate Validity Using CRLs (CLI)
• Deleting a Loaded CRL (CLI Procedure)
• Understanding Public Key Infrastructure
• Example: Manually Loading a CRL onto the Device (CLI)