Revocation Settings by CRL
This page describes how to check certificate revocation using CRL (Certificate Revocation List).
If "Revocation Settings by CRL" is enabled, certificates registered in the revocation list can no longer be used for device certificate authentication.
[ Note ]
The CRL has an expiration date.
If the CRL expires, it will not be used for device certificate authentication.
[ Reference ]
If both OCSP and CRL are enabled simultaneously, verification by OCSP takes priority over that by CRL.
Verification by CRL is executed only when a proper connection cannot be made to the OCSP server.
- Click "System" and then "Security Settings."
- Click "Device Restriction."
- Click "Certificate Revocation Settings" for the desired CA certificate chain.
- Click "Enable CRL."
Change the content and then click "Update."
Option Description Specify the URL of the CRL distribution point Uses the CRL distribution point for acquisition of the CRL file.
The CRL file is automatically updated on a regular basis.CRL distribution point URL Sets the CRL distribution point in the URL format. Refresh CRL Refreshes the CRL file manually. Registered CRL Downloads the revocation list registered with IIJ ID in the DER format. Upload a CRL file Uploads CRL as a file. CRL file Specifies a CRL file to upload. Registered CRL Downloads the revocation list registered with IIJ ID in the DER format.