Certificate revocation check
A revocation check is a process to see if a certificate has been revoked by the issuer CA.
The SR OS supports two methods for certificate revocation check:
-
CRL
-
OCSP
CRL can be used for both EE and CA certificate checks, while OCSP could only be used for an EE certificate.
The use of a revocation check for an EE certificate is application-specific. With an IPsec application, users can configure multiple check methods with a priority order for an EE certificate. With the status-verify command in the ipsec-gw/ipsec-tunnel configuration context, a primary method, a secondary method and a default result can be configured. The primary and secondary method can be either OCSP or CRL. The default result is either good or revoked. If the system cannot get an answer from the primary method, then it falls back to the secondary method. If secondary method also does not return an answer, then the system uses the default result.
By default, the system uses CRL to check the revocation status of a certificate, whether it is an end entity certificate or a CA certificate. This makes CRL a mandatory configuration in the ca-profile.
The revocation-check command in the ca-profile can change this behavior, with revocation-check crl-optional configured:
When a user enables the ca-profile (no shutdown), the system tries to load the configured CRL (specified by the crl-file command). But, if the system fails to load it for following reasons, then the system still keeps ca-profile oper-up, but treat the CRL as non-existent.
-
The CRL file does not exist.
-
The CRL is not properly encoded, possibly because of an interrupted file transfer.
-
The CRL is not signed by the CA certificate configured in the CA profile.
-
The CRL version is wrong.
-
The CRL expired or is not yet valid.
If the IPsec application needs to use the CRL of a specific ca-profile to check revocation status of an end entity certificate and CRL is non-existent because of the above reasons, then the system treats it as unable to get an answer from CRL and fall back to the secondary status-verify method or default-result configured under the ipsec-gw/ipsec-tunnel.
If the system needs to check the revocation of a CA certificate in certificate chain, and if the CRL is non-existent because of the above reasons, then the system skips checking the revocation status of the CA certificate. For example, the CA1 is issued by CA2, if CA2’s revocation-check is crl-optional and CA2’s CRL is non-existent, then the system does not check CA1 certificate’s revocation status and consider it as good.
The user must disable the ca-profile to change the revocation-check configuration.
For details about OCSP, see OCSP.