Updated on 2022-04-02 GMT+08:00

Configuring a CRL Server

Context

The Certificate Authority Service supports manual and automatic CRL publishing.

Procedure

  1. Choose System > About > Certificate Authority Service from the main menu.
  2. Choose PKI Management > CRL from the navigation tree on the left.
  3. On the CRL Server tab page, click New and set parameters.

    For detailed parameter descriptions, see Table 1.

    Table 1 CRL server parameters

    Parameter

    Description

    Value

    Label

    Name of a CRL server.

    The name is a string of 1 to 45 characters containing letters, digits, underscores (_), and hyphens (-).

    The name cannot be null or all (case insensitive).

    IP address

    IP address of the server.

    N/A

    Protocol

    Type of the CRL server, which can be LDAP or FTP.

    A maximum of five servers can be added regardless of the server type.

    NOTICE:

    LDAP is recommended because of its higher security than FTP.

    N/A

    Use TLS

    Whether to publish the CRL to the LDAP server or FTP server using TLS.

    NOTE:
    • If you select Yes, you can import the CRL corresponding to the trusted certificate chain on the CRL Server tab page to check whether the peer server certificate has been revoked.
    • If you select No, you cannot import the CRL on the CRL Server tab page.
    NOTICE:

    If you do not use the TLS protocol, a security risk may exist.

    The default value is Yes.

    Port

    Port number of the server.

    • The port number is an integer ranging from 1 to 65535.
    • If the LDAP is selected and the TLS protocol is not used, the default port number is 389.
    • If the LDAP is selected and the TLS protocol is used, the default port number is 636.
    • When the FTP is selected, the default port number is 21.
      NOTICE:

      LDAP is recommended because of its higher security than FTP.

    Login name

    User name for logging in to the server.

    The login name is a string 1 to 128 characters and cannot contain the following special characters: (/\: *?" <>|).

    Login password

    Password for logging in to the server.

    It is recommended that the password contain 6 to 64 characters, including at least three types of the following: digits, uppercase letters, lowercase letters, and special characters. The password cannot be the same as the login name or the reverse of the login name.

    Publication directory

    Directory of the server to which the CRL is published. You can use parameters such as File path or Distinguished name generated by the system to interconnect with the CRL server of the Certificate Authority Service.

    • The publication directory of the FTP server is user-defined, for example, a/b. After a CRL server is created, the system generates a file path in format of FTP root directory/Publication directory/CA name associated with the server/CRL file name, where the CRL file name is the CA name and the file name extension is .crl. For example, the file path can be /home/ftpuser/a/b/caname/caname.crl.
    • The publication directory of the LDAP server is the LDAP path name, for example, CN=common name, O=organization, OU=organization unit. After a CRL server is created, the system generates a distinguished name in format of CN=CA name associated with the server, Publishing directory. For example, the distinguished name can be CN=caname, CN=common name, O=organization, OU=organization unit.

    N/A

    Trust certificate chain

    Local certificate chain file.

    NOTICE:

    If the RSA key length is 1024 or the uploaded trust certificate uses the SHA1withRSA algorithm, security risks exist.

    • The certificate file must be in .pem, .cer, or .crt format.
    • The certificate to be uploaded must be a complete certificate chain. A maximum of 10 files can be uploaded, and the size of a single file cannot exceed 100 KB.
    • The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.

  4. Click Submit.

Related Tasks

  • Viewing a CRL server

    On the CRL Server tab page under PKI Management > CRL, click the name of a CRL server to view detailed information about this CRL server.

  • Modifying a CRL server

    On the CRL Server tab page under PKI Management > CRL, click Modify in the Operation column of a CRL server to modify the configuration of this CRL server.

  • Deleting a CRL server

    On the CRL Server tab page under PKI Management > CRL, click Delete in the Operation column of a CRL server to delete this CRL server.

  • Importing a CRL

    On the CRL Server tab page under PKI Management > CRL, click Import CRL in the Operation column of a CRL server to upload the CRL of the trusted certificate chain for checking whether the peer server certificate is revoked.

    The CRL file to be uploaded must be in .crl or .pem format and the file size cannot exceed 2 MB.

  • Updating a CRL

    On the CRL tab page under PKI Management > CRL, click Update in the Operation column of a CRL to manually update the CRL.

  • Manually publishing a CRL

    On the CRL tab page under PKI Management > CRL, click Publish in the Operation column of a CRL to manually publish the CRL.

  • Automatically publishing a CRL

    When configuring a CA on the PKI Management > CA page, you can set an interval for automatically publishing CRLs. Then the system automatically publishes CRLs at the specified interval.

  • Searching for a CRL

    On the CRL tab page under PKI Management > CRL, enter a CR name, click , and view CRL information of the CA that is searched out. The Certificate Authority Service supports fuzzy search by CA name.

  • Downloading a CRL

    On the CRL tab page under PKI Management > CRL, click Download in the Operation column of a CRL to download the CRL in DER or PEM format to the local computer.