Auto CRL update

The SR OS provides an automatic mechanism to update a CRL file. The system tries to download the CRL from a list of configured HTTP URLs and replace existing CRL file when a qualified CRL is successfully downloaded. A qualified CRL is a valid CRL signed by the CA and is more recent than the existing CRL. To determine if a downloaded CRL is more recent than an existing CRL, the system compares the This-Update field of the CRL first. If they are the same, the system compares the CRL number extension if present.

The configured HTTP URL must point to a DER-encoded CRL file.

This features supports two types of downloading schedules:

  • periodic

    The system downloads a CRL periodically at the interval configured via the periodic-update-interval command. For example, if the periodic-update-interval is 1 day, then the system downloads CRL every 1 day. The minimal periodic-update-interval is 1 hour.

  • next-update-based

    The system downloads a CRL at the time = Next_Update_time_of_current_CRL minus pre-update-time. For example, if the Next-Update of current CRL is 2015-06-30 06:00 and pre-update-time is 1 hour, then the system starts the download at 2015-06-30, 05:00.

The system allows up to eight URLs to be configured for a ca-profile. When downloading begins, URLs are tried in order, and the first successfully downloaded qualified CRL is used to update existing CRL. If the downloading fails or the downloaded CRL is not qualified, the system moves to the next URL in the list. If all URLs in the list fail to return a qualified URL, then:

  • In case of next-update-based schedule, the system waits for a configured retry-interval before retrying from the first URL in the list again.

  • In case of periodic schedule, the system waits until the next scheduled time.

Upon executing a no shutdown of a ca-profile, if the auto-crl-update is enabled, then in case configures CRL file does not exist or is expired or invalid, then the system starts downloading right away.

The system also provides an admin command (admin certificate crl-update ca <ca-profile-name>) for users to manually trigger downloading. However, it requires a shutdown of the auto-crl-update command (no auto-crl-update).

HTTP transport can be over either IPv4 or IPv6.

This feature support Base/Management/VPRN routing instance. VPLS management is not supported. In the case of VPRN, the HTTP server port can only be 80 or 8080.