crl load

Function

The crl load command loads a Certificate Revocation List (CRL) to an SSL policy.

The undo crl load command unloads a CRL from an SSL policy.

By default, no CRLs are loaded to SSL policies.

Format

crl load { pem-crl | asn1-crl } crl-filename

undo crl load { pem-crl | asn1-crl } crl-filename

Parameters

Parameter	Description	Value
pem-crl	Loads a PEM CRL to an SSL policy.	-
asn1-crl	Loads an ASN1 CRL to an SSL policy.	-
crl-filename	Specifies the name of a CRL. This file must be saved in the security sub-directory of the system directory.	The value is a string of 1 to 63 case-insensitive characters without a blank space. The specified file name must be consistent with the name of the uploaded file.

Parameter

Description

Value

pem-crl

Loads a PEM CRL to an SSL policy.

asn1-crl

Loads an ASN1 CRL to an SSL policy.

crl-filename

Specifies the name of a CRL.

This file must be saved in the security sub-directory of the system directory.

The value is a string of 1 to 63 case-insensitive characters without a blank space.

The specified file name must be consistent with the name of the uploaded file.

Views

SSL policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The lifetime of a digital certificate is limited. A Certificate Authority (CA) can revoke a digital certificate to shorten the lifetime of the digital certificate. A CRL is a list of certificates that have been revoked, and therefore should not be relied upon. The CRL is issued by a CA. If a CA revokes a certificate, the key pair defined in the certificate can no longer be used even if the certificate does not expire. After a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the CRL.

If the key carried in a certificate is disclosed or a certificate needs to be revoked, use a third-party tool to revoke the certificate. The certificate will be marked revoked and added to a CRL.

Configuration Impact

After a CRL is loaded to an FTPS client, the client checks whether the server's certificate is in the CRL when the client attempts to access the server. If the server's certificate is in the CRL, the connection fails.

Prerequisites

The ssl policy command has been used in the system view to create an SSL policy.

Precautions

A maximum of two CRL files can be loaded to an SSL policy. For the sake of security, deleting the installed CRL file is not recommended.

Example

# Load a PEM CRL to an SSL policy.

<sysname> system-view
[sysname] ssl policy ftp_server
[sysname-ssl-policy-ftp_server] crl load pem-crl server.pem

# Load an ASN1 CRL to an SSL policy.

<sysname> system-view
[sysname] ssl policy ftp_server
[sysname-ssl-policy-ftp_server] crl load asn1-crl server.der