Certificate Revocation Sources
The Expressway can obtain certificate revocation information from multiple sources:
-
Automatic downloads of CRL data from CRL distribution points.
-
Through OCSP (Online Certificate Status Protocol) responder URIs in the certificate to be checked (SIP TLS only).
-
Manual upload of CRL data.
-
CRL data embedded within the Expressway's Trusted CA certificate file.
Limitations and Usage Guidelines
The following limitations and usage guidelines apply:
-
When establishing SIP TLS connections, the CRL data sources are subject to the Certificate revocation checking settings on the SIP configuration page.
-
Automatically downloaded CRL files override any manually loaded CRL files (except for when verifying SIP TLS connections, when both manually uploaded or automatically downloaded CRL data may be used).
-
When validating certificates presented by external policy servers, the Expressway uses manually loaded CRLs only.
-
When validating TLS connections with an LDAP server for remote login account authentication, the Expressway only uses CRL data that has been embedded into the Trusted CA certificate ( ).
For LDAP connections, Expressway does not download the CRL from Certificate Distribution Point URLs in the server or issuing CA certificates. Also, it does not use the manual or automatic update settings on the CRL management page.
Automatic CRL Updates
To configure the Expressway for automatic CRL updates:
Procedure
Step 1 |
Go to . |
Step 2 |
Set Automatic CRL updates to Enabled |
Step 3 |
Enter the set of HTTP(S) distribution points from where the Expressway can obtain CRL files.
|
Step 4 |
Enter the Daily update time (in UTC). This is the approximate time of day when the Expressway will attempt to update its CRLs from the distribution points. |
Step 5 |
Click Save. |
Manual CRL Updates
To upload a CRL file:
Note |
Ensure that the CRL file size is less than 16 MB. |
Procedure
Step 1 |
Go to . |
Step 2 |
Click Browse and select the required file from your file system. It must be in PEM encoded format. |
Step 3 |
Click Upload CRL file. This uploads the selected file and replaces any previously uploaded CRL file. |
If a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Online Certificate Status Protocol (OCSP)
The Expressway can establish a connection with an OCSP responder to query the status of a particular certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the certificate being verified. The OCSP responder sends a status of "good", "revoked" or "unknown" for the certificate.
The benefit of OCSP is that there is no need to download an entire revocation list. OCSP is supported for SIP TLS connections only.
Outbound communication from the Expressway-E is required for the connection to the OCSP responder. Check the port number of the OCSP responder you are using (port 80 or 443) and ensure that outbound communication is allowed to that port from the Expressway-E.