Dell EMC SmartFabric OS10 User Guide Release 10.5.0

Certificate revocation

Before the switch and an external device, such as a RADIUS or TLS server, set up a secure connection, they present CA-signed certificates to each other. The certificate validation allows peers to authenticate each other's identity, and is followed by checking to ensure that the certificate has not been revoked by the issuing CA.

A certificate includes the URL and other information about the certificate distribution point (CDP) that issued the certificate. Using the URL, OS10 accesses the CDP to download a certificate revocation list (CRL). If the external device's certificate is on the list or if the CDP server does not respond, the connection is not set up.

A certificate revocation list contains a list of all revoked certificates. The CA that issued the certificates maintains the CRL. CAs publish a new CRL at periodic intervals. An OS10 switch automatically downloads the new CRL and uses it to verify certificates presented by connecting devices.

When a CA issues a certificate, it usually includes the CRL distribution point in the certificate. OS10 uses the CDP URL to access the server with the current CRL. OS10 supports using multiple CDPs and CRLs during a CRL revocation check. If a CRL check validates a certificate from an external device, OS10 sets up a secure connection to perform the tasks initiated by the application.

Like CA certificates, CRLs are maintained in the trust store on the switch and applied to all PKI-enabled applications. To use CRLs to validate certificates presented by external devices:

1. Configure the URL for a certificate distribution point in EXEC mode.

   crypto cdp add cdp-name cdp-url

   Verify the CDPs accessed by the switch in EXEC mode.

   show crypto cdp [cdp-name]

   To delete an installed CDP, use the crypto cdp delete cdp-name command.
2. Install CRLs that have been downloaded from CDPs in EXEC mode.

   crypto crl install crl-path [crl-filename]

   Display a list of the CRLs installed on the switch in EXEC mode.

   show crypto crl [crl-filename]

   To delete a manually installed CRL that was configured with the crypto crl install command, use the crypto crl delete [crl-filename] command.

To enable CRL checking on the switch, see Security profiles.

Example: Configure CDP

OS10# crypto cdp add cert1_cdp http://crl.chambersign.org/chambersignroot.crl
Successfully added CDP

OS10# show crypto cdp
--------------------------------------
|       Manually installed CDPs        |
--------------------------------------
cert1_cdp.crl_url
--------------------------------------
|      Automatically installed CDPs    |
--------------------------------------

Example: Install CRL

OS10# crypto crl install home://pki-regression/Network_Solutions_Certificate_
Authority.0.crl.pem
Processing file ...

issuer=C=US,O=Network Solutions L.L.C.,CN=Network Solutions Certificate Authority.0.crl.pem
lastUpdate=Jul  7 04:15:08 2019 GMT
nextUpdate=Jul 11 04:15:08 2019 GMT

OS10# show crypto crl
--------------------------------------
|       Manually installed CRLs        |
--------------------------------------
Network_Solutions_Certificate_Authority.0.crl.pem
--------------------------------------
|           Downloaded CRLs            |
--------------------------------------