ServerIron ADX Security Guide 169
53-1002440-03
Advanced SSL profile configuration 6
The ServerIronADX supports configuration of up to ten CRL records. For each CRL record, the size is
up to 255K.
Syntax: ssl crl-record <local-name> <url> der | pem <refresh-interval-in-hours>
The <local-name> variable specifies a name for the CRL entry. The value of this entry is an ASCII
string.
The <url> variable specifies the location where the CRL is located. This value can be either an IP
address or a domain name.
The pem parameter directs the CRL to be downloaded in the PEM format.
The der parameter directs the CRL to be downloaded in the DER format.
The <refresh-interval-in-hours> variable specifies the number of hours to wait before updating the
CRL.
NOTE
Limiting the maximum number of connections from all client-ip’s is supported only via the max-conn
default <num> command. The max-conn 0.0.0.0/0 <num> command is no longer supported.
NOTE
To avoid “man-in-the-middle” attacks, where the CRL may be compromised while on the network,
CRLs are digitally signed by the issuing CAs. For this reason, it is essential that the certificate of the
CA that issues the CRL is present on the ServerIronADX when a client certificate is being checked
for revocation.
Allowing Self Signed Certificates
By default, the a ServerIronADX does not accept certificates that have been issued by a CA that is
not trusted. A ServerIronADX only accepts certificates which have been signed by a CA that is
configured under the SSL profile. For testing purposes, customers may want to use self-signed
certificates (generated using the Open SSL utilities or by the ServerIron cert gen utility) on the SSL
client.
The following example configures a ServerIronADX to accept self signed certificates.
ServerIronADX(config)# ssl profile profile1
ServerIronADX(config-ssl-profile-profile1)#allow-self-signed-cert
Syntax: [no] allow-self-signed-cert
Enabling a certificate chain
By default, for CA signed certificates, the ServerIronADX does not send the entire certificate chain
when presenting the certificate to the client.
To enable the ServerIronADX to send the entire certificate chain (including the root CA certificate
and any intermediate CA certificates), enter the following commands in the SSL profile
configuration mode:
ServerIronADX(config)#ssl profile profile1
Syntax: ssl profile <profile-name>
ServerIronADX(config-ssl-profile-ssl-profile1)# enable-certificate-chaining
Syntax: enable-certificate-chaining