Certificate revocation refers to that the CA revokes a certificate when the certificate expires or becomes invalid. A local certificate may be revoked in the following conditions:
When receiving the peer's certificate, the device needs to check whether the certificate is revoked by the CA. To ensure the validity of the peer's certificate, the most convenient way is to download the latest certificate from the peer and CA during each authentication. This method, however, is system-resource-consuming, and re-authentication delay may result in re-establishing the connection, which affects the communications between devices.
The problem can be solved in the following methods:
The device can update the CRL in the following methods:
The device communicates with the CRL server through HTTP or LDAP, periodically sends update requests to the CRL server, and automatically downloads the CRL from the server.
The CRL can be downloaded from the CRL server through the manual execution of commands on the device.