| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
The Clavister NetShield Firewall allows the administrator to define one or more CRL Distribution Point List (CDPL) objects. Each list is composed of one or more entries, each entry specifying the URL of a server that can provide a Certificate Revocation List (CRL) to cOS Stream for validating the certificate.
To use CDPLs in cOS Stream, the following steps are used:
If it has not already been uploaded, load the certificate into cOS Stream and create a Certificate object that is associated with the upload.
Define a CRLDistPointList object which will be a list of the distribution points.
Add one or more CRLDistPoint objects to the list. Each defines a single distribution point.
Associate the CRLDistPointList with the Certificate object.
Once the association is made between a certificate and a CDPL, all CRL lookups for that certificate are done using the entries in the associated CDPL. The first entry in the associated list is tried first and if that fails the second is tried, and so on. It does not matter if the certificate has its own embedded CDPL or not, the CDPL associated with it in cOS Stream will always be used.
In the case of a certificate chain, only the certificate at the top of the chain needs to be associated with the CDPL defined in cOS Stream. This CDPL will then take precedence over any CDPL embedded in the top level certificate or any certificate at a lower level of the chain.
By forcing certificates to use the CDPL defined by the administrator instead of any CDP embedded in the certificate, the administrator can ensure access to a functioning and accessible CA server.
Example 16.2. Using a CRL Distribution Point List
This example creates a CRLDistPointList object called my_cdpl with a single CRLDistPoint which has the URL http://crls.example.com. The CRLDistPointList is then associated with the Certificate object called my_cert.
It is assumed that the my_cert object already exists in the system configuration and is located in the CertificateStore called ipsec.
The CRL checks property for the certificate will be left as the default value of Enforced which means that a CRL check against the list retrieved from the http://crls.example.com server will always be done.
Command-Line Interface
A. Configure the distribution point list:
First, add the distribution point list:
System:/> add CRLDistPointList my_cdplNext, change the CLI context to be the list:
System:/> cc CRLDistPointList my_cdplThen add the distribution point to the list:
System:/CRLDistPointList/my_cdpl> add CRLDistPoint
URL=http://crls.example.comFinally, change the CLI context back to the default:
System:/my_cdpl>ccSystem:/>
B. Associate the distribution point list with the certificate:
System:/>cc CertificateStore ipsecSystem:/CertificateStore/ipsec>set Certificate my_cert CRLDistPointList=my_cdpl
