Reset Search
 

 

Article

Error When Trying To To Update Certificate Revocation List (CRL) in NAC Manager

« Go Back

Information

 
TitleError When Trying To To Update Certificate Revocation List (CRL) in NAC Manager
Symptoms
Error message that the URL provides a delta-CRL
Environment
All NAC platforms
Cause
This is per design as delta-CRLs are not supported
Resolution
Use a CRL publisher that does not produce a delta-CRL. 
Additional notes
This is outlined in NetSight's Help:

Certificate Revocation List URLs

Use Add URLEdit URL, and Remove URLs to create a list of CRL distribution points which will be used to check for revoked client certificates. When an end-user's access to the network has been revoked, the end-user's client certificate is revoked. This will cause the CA to add the revoked certificate's serial number to its CRL. The NAC appliance will download a new copy of any configured CRL every hour from the CRLdistribution point identified by the URL. If the CRL has been updated, the RADIUS server will be restarted to load the new data. The RADIUS server will then reject any client certificate found in the CRL.
When CRLs are used, there must be a CRL configured for every trusted certificate authority. Only CRLs that are distributed through an http:, https:, or file: URL are supported, and only CRLs that correspond to a listed trusted certificate authority can be used. Delta CRLs are not allowed.


 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255