After the private key of a company is disclosed, CA will issue a CRL to revoke the corresponding digital certificate, preventing the disclosed private key from verifying malicious software packages. This section provides the guidance for the administrator on how to update the VRG CRL to improve system O&M security.
Prerequisites
- You have obtained the latest Certificate Revocation List (CRL) file, for example, xxxx.crl.
- You have obtained the management IP addresses of all VRGs, and passwords of users gandalf and root.
- A cross-platform remote access tool, such as PuTTY, has been obtained.
- A cross-platform file transfer tool, such as WinSCP, has been obtained.
Procedure
- Use WinSCP to copy the obtained the CRL file to the /home/GalaX8800/ directory on the VRG whose CRL is to be updated.
Ensure that user gandalf is used to establish the connection.
- Use PuTTY to log in to the VRG server in the 1 as gandalf user.
- Run the following command to enter password of user root and switch to user root:
su -root
- Run the following command to prevent PuTTY from exiting due to session timeout:
TMOUT=0
After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.
- Run the following command to update the CRL:
updateCrl -u Obtained CRL file
Obtained CRL file refers to the xxxx.crl file that has been copied to the /home/GalaX8800 directory on the target host described in 1.
The CRL is successfully updated if the following information is displayed:
update crl success.
- Run the following command to delete the CRL file:
rm /home/GalaX8800/Obtained CRL file
- Update the CRL file on other VRGs. For details, see steps 1 to 6.