About CRLs

Whenever IKE receives a peer's certificate, it will check the certificate's serial number against the current CRL Certificate Revocation List from the CA Certificate Authority. If the presented certificate is found listed in the CRL, then it is treated as an invalid certificate and the ISAKMP Internet Security Association and Key Management Protocol exchange is torn down. ISAKMP exchange progresses normally if the presented certificate is not found in the CRL. So to find out the real validity of the presented certificates, it is very important to maintain the latest CRL in the system.

The Threat Management Services zl Module supports:

  • Manual CRL upload

  • Automatic CRL upload using SCEP Simple Certificate Enrollment Protocol

A CRL is a list of digital certificate subscribers. It includes information about each subscriber’s certificates, including:

  • current status

  • date of issue

  • CA from which the certificate was obtained

The CRL also lists revoked certificates, accompanied by the cause for the revocation.

IKE uses the CRL to help determine whether a peer can be trusted to connect over the VPN tunnel. To keep your private network secure, you should make sure that the CA profile contains an up-to-date CRL.