The tasks are shown in Figure
are optional,
depending on the particular requirements of the VPN implementation.
Request a Certificate Revocation List
A CRL can be requested
only if the CA does not support an RA. The following information applies only
when the CA does not support an RA.
When the router receives a
certificate from a peer, the router will download a CRL from the CA. The router
then checks the CRL to make sure the certificate that the peer sent has not
been revoked. If the certificate appears on the CRL, the router will not accept
the certificate and will not authenticate the peer.
With CA systems that
support RAs, multiple CRLs exist and the certificate of the peer indicates
which CRL applies and should be downloaded by the router. If the router does
not have the applicable CRL and is unable to obtain one, the router rejects the
certificate of the peer, unless the crl optional command is
used in the configuration. If the crl optional command is
used, the router will still try to obtain a CRL, but if it cannot obtain a CRL
it can still accept the certificate of the peer.
A CRL can be reused with
subsequent certificates until the CRL expires if query mode is off. If the
router receives a certificate from a peer after the applicable CRL has expired,
the router will download the new CRL.
When the router receives additional
certificates from peers, the router continues to attempt to download the
appropriate CRL, even if it was previously unsuccessful, and even if the
crl optional command is enabled. The crl
optional command only specifies that when the router cannot obtain
the CRL, the router is not forced to reject a certificate of a peer
outright.
If the router has a CRL that has not yet expired, but it is
suspected that the contents of the CRL are out of date, it is possible to
request that the latest CRL be downloaded immediately to replace the old CRL.
To request immediate download of the latest CRL, use the crypto pki
crl request name command in global configuration mode. This
command replaces the CRL currently stored on the router with the newest version
of the CRL.
Delete RSA Keys from the Router
Under certain
circumstances it may be necessary to delete the RSA keys that were generated
for the router. For example, if the RSA keys are believed to be compromised in
some way and should no longer be used, the keys should be deleted.
To
delete all RSA keys from the router, use the crypto key zeroize
rsa command in global configuration mode. After the RSA keys are
deleted, the CA administrator should be asked to revoke certificates for the
router at the CA. It will be necessary to supply the challenge password created
when the certificated were obtained with the crypto pki
enroll command. The certificates should also be manually removed
from the router configuration.
Delete Certificates from the
Configuration
If the need arises, certificates that are saved on the
router can be deleted. The router saves its own certificates, the certificate
of the CA, and any RA certificates, unless the router is in query mode.
To delete the certificate of the router or RA certificates from the
configuration, use the commands shown in Figure
in
global configuration mode.
Delete Public Keys of Peers
Under
certain circumstances it may be necessary to delete the RSA public keys of peer
devices from the router configuration. For example, if the integrity of a peer
public key is doubted, the key should be deleted. To delete an RSA public key
of a peer, use the commands shown in Figure
, beginning in
global configuration mode.
To delete the CA certificate, the entire CA
trustpoint must be removed. This also removes all certificates associated with
the CA, including the certificate belonging to the router, the CA certificate,
and any RA certificates. To remove a CA trustpoint, use the no crypto
pki trustpoint name command in global configuration mode.