Reset Search



Error When Trying To To Update Certificate Revocation List (CRL) in NAC Manager

« Go Back


TitleError When Trying To To Update Certificate Revocation List (CRL) in NAC Manager
Error message that the URL provides a delta-CRL
All NAC platforms
This is per design as delta-CRLs are not supported
Use a CRL publisher that does not produce a delta-CRL. 
Additional notes
This is outlined in NetSight's Help:

Certificate Revocation List URLs

Use Add URLEdit URL, and Remove URLs to create a list of CRL distribution points which will be used to check for revoked client certificates. When an end-user's access to the network has been revoked, the end-user's client certificate is revoked. This will cause the CA to add the revoked certificate's serial number to its CRL. The NAC appliance will download a new copy of any configured CRL every hour from the CRLdistribution point identified by the URL. If the CRL has been updated, the RADIUS server will be restarted to load the new data. The RADIUS server will then reject any client certificate found in the CRL.
When CRLs are used, there must be a CRL configured for every trusted certificate authority. Only CRLs that are distributed through an http:, https:, or file: URL are supported, and only CRLs that correspond to a listed trusted certificate authority can be used. Delta CRLs are not allowed.




Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255