CRL Distribution Point Location

© 2003, Cisco Systems, Inc. All rights reserved.

A number of CRL-DPs are accessible from the Web. Because the Web is a large place, it is difficult for the Concentrator to check a particular certificate to see if it is valid or revoked. As part of the X.509 certificate, the CRL extension includes the CRL-DP. The CRL-DP information is included in the X.509 extension fields. If you double-click the CRL-DPs icon in the certificate, the URL of the CRL-DP is included.

Cisco.corn

Cisco.corn

Headquarters

Entrust

LDAP

server

Boston3 Entrust Jg. yK2345678[

Headquarters

Entrust

Entrust Root

Hdqtrs3

Hdqtrs3

D134TA30-.

Entrust

Entrust ...

1

K23456780

V

K2345678ÇJ

Boston3 Entrust Jg. yK2345678[

Internet

Internet

Boston3 Entrust K2345678

Home

Entrust

Load and validate identity certificate

• Exchange the identity certificates during IKE negotiations.

• Verify the identity certificate signature via the stored root certificate.

• Verify that the certificate validity period has not expired.

• Verify that the identity certificate has not been revoked.

© 2003, Cisco Systems, Inc. All rights reserved.

During certificate exchange, identity certificates must be validated. Identity certificates are exchanged during IKE Phase 1 negotiation to authenticate the peers. The PC sends its identity certificate to the Concentrator. The Concentrator validates the certificate as follows:

Step 1 Validate the signature. The Concentrator uses the public key stored on its root certificate to decrypt the identity certificates hash. The Concentrator also re-computes a hash of the received identity certificate. If the decrypted and re-computed hashes match, the certificate is valid.

Step 2 Check the validity period of the certificate against the system clock of the Concentrator. If the Concentrator's system clock falls within the validity period of the identity certificate, the test is successful. The validity range can be found on the identity certificate.

Step 3 (Optional.) If enabled, the Concentrator locates the CRL and determines whether the identity certificate serial number is on the list. If present, the certificate is revoked. If absent, the certificate is valid.

If the received identity certificate passes the validation process, the Concentrator authenticates the PC. In turn, the Concentrator sends its identity certificate to the PC. The PC performs the same validation process for the Concentrator's identity certificate.

Was this article helpful?

0 0

Post a comment