Configuring CRL Certificate Revocation Checking

To configure a Solace PubSub+ event broker to use a certificate authority (CA) with Certificate Revocation List (CRL) revocation checking, complete the following steps:

Step 1: Review Prerequisites

To successfully use CA certificates with certificate revocation checking, the following configurations are required on a Solace PubSub+ event broker:

Step 2: Configure Certificate Authorities

To configure a CA, see Configuring the Client Authentication Certificate Authorities List.

Step 3: Configure CRL Parameters

The URL for the CRL source must be configured for the event broker to download the CRL. Optionally, you can configure a specific refresh schedule for the CRL, after which the event broker will attempt to download a new copy of the CRL.

  • To configure the URL, enter the following commands:

    solace(configure/authentication/client-certificate-authority)# revocation-check crl
    solace(configure/authentication/client-certificate-authority/revocation-check/crl)# url <url>

    Where:

    url indicates the location of the CRL source. A maximum of 2048 characters can be used for the <url>. The url must be a complete URL including the http://. Only HTTP URLs are supported.

    A shutdown of the revocation checking is required before changing the CRL URL.

  • To configure the CRL refresh schedule, enter the following commands:

    solace(configure/authentication/client-certificate-authority)# revocation-check crl
    solace(configure/authentication/client-certificate-authority/revocation-check/crl)# refresh-schedule [days <days-of-week] times <times-of-day>

    Where:

    <days-of-week> is either the entry “daily”, or a list of named days from Sunday to Saturday separated by commas with no spaces, or a list of numbers from 0 to 6 representing the named days separated by commas with no spaces, where 0 is Sunday, 1 is Monday, on through to 6 for Saturday. Default is “daily”.

    <times-of-day> is either the entry “hourly”, or a list of up to four times of day in the format hh:mm separated by commas without spaces, where hh is 0 to 23 representing hours, and mm is 0 to 59 representing minutes.

    To trigger an immediate attempt to download the CRL, enter the following Admin command:

    solace(admin)# client-certificate-authority <ca-name>
    solace(admin/client-certificate-authority)# refresh-crl

Step 4: Enable CA Revocation Checking

For the event broker to successfully use the CA, enable the revocation checking:

solace(configure/authentication/client-certificate-authority/revocation-check/crl)# exit
solace(configure/authentication/client-certificate-authority/revocation-check)# no shutdown

Step 5: Configure Message VPN Overrides

You can optionally configure revocation overrides for specific Message VPNs, based on the revocation status of the client certificates.

To configure the revocation checking overrides, see Configuring Message VPN Overrides.

Step 6: Enable CRL Certificate Revocation Checking

Once CA and CRL configurations are completed, certificate revocation checking can be enabled for the event broker.

  1. Enable CRL certificate revocation checking for the event broker:

    solace(configure)# authentication
    solace(configure/authentication)# client-certificate-revocation-checking crl

  2. Verify if the CRL certificate revocation checking has been enabled:

    solace (configure/authentication)# show authentication

    CLI and SEMP user class:
        radius-domain:
        auth-type: Internal database authentication
        profile-name:crea

    Replace Duplicate Client Connections:   yes
    Client Certificate Revocation Checking: crl

    Shell Users                                            Direct shell login enabled
    =====================================================  ==========================
    support                                                                       Yes