Cisco Systems OL-16647-01 manual Configuration Options for CA Certificates, 33-4

Page 4

Chapter 33 Configuring Certificates

CA Certificate Authentication

Configuration Options for CA Certificates

Additional configuration options are available, whether you are adding a new CA certificate with the Add button or modifying an existing CA certificate with the Edit button.

The following panels are the tab-selectable displays that address CA certificate configuration specifics. Each tabbed display is summarized in the following list:

Revocation Check —The Revocation Check panel lets you chose or reject revocation checking, specify a method of revocation checking (CRL or OCSP) and allows you to ignore revocation-checking errors when validating a certificate. For details of the Revocation Check panel, see Revocation Check Configuration.

CRL Retrieval Policy—The CRL Retrieval Policy panel allows you to configure use of the CRL distribution point and/or static CRL URLs, with capabilities to add, edit, and delete status CRL URLs. For details, see CRL Retrieval Policy Configuration.

CRL Retrieval Method—The CRL Retrieval Method panel allows you to chose Lightweight Directory Access Protocol (LDAP), HTTP, or Simple Certificate Enrollment Protocol (SCEP) as the method to be used for CRL retrieval. For the LDAP method, you can configure the LDAP parameters and security. See CRL Retrieval Method Configuration.

OCSP Rules—Online Certificate Status Protocol (OCSP) is used for obtaining revocation status of an X.509 digital certificate and is an alternative to certificate revocation lists (CRL). For details, see OSCP Rules Configuration. Refer to OCSP Rules Configuration.

Advanced—The Advanced panel allows you to set up CRL update parameters, OCSP parameters, and certificate acceptance and validation parameters. See Advanced Configuration Options.

Revocation Check Configuration

With the Revocation Check Edit Option panel, you can specify degrees of user certificate revocation checking as follows:

No Revocation Checking - Click the Do not check certificates for revocation button to disable revocation checking of certificates.

Revocation Checking Method(s) - Click the Check certificates for revocation to select one or more revocation checking methods. Available methods display on the left; use the Add button to move a method to the right.

The methods you select are implemented in the order in which you add them. If a method detects an error, subsequent revocation checking methods activate.

Revocation Checking Override - Click the Consider certificate valid if revocation checking returns errors button to ignore revocation-checking errors.

CRL Retrieval Policy Configuration

With the CRL Retrieval Policy panel, you specify either the CRL Distribution Point, or a static go-to location for the CRL revocation checking.

Certificate CRL Distribution Point - Click the Use CRL Distribution Point from the certificate button to direct revocation checking to the CRL DP included on the certificate being checked.

Static URL - Click the Use Static URLs configured below button to list specific URLs to be used for CRL Retrieval. The URLs you select are implemented in the order in which you add them. If a specified URL errors, subsequent URLs are accessed in order.

://—Type the location that distributes the CRLs.

 

Cisco Security Appliance Command Line Configuration Guide

33-4

OL-16647-01

Page 3 Page 5
Image 4
Page 3 Page 5
Contents CA Certificate Authentication A P T E RCA Certificates Fields 33-1Firewall Mode Security Context Multiple Routed ModesSingle Context System 33-2Edit CA Certificate Configuration Show CA Certificate DetailsRequest CRL Delete a CA CertificateConfiguration Options for CA Certificates Revocation Check ConfigurationCRL Retrieval Policy Configuration 33-4Advanced Configuration Options 33-5Identity Certificates Authentication 33-6Add Identity Certificate Fields Add/Install an Identity Certificate33-7 Certificate Subject DN Attributes Show Identity Certificate Details33-8 Delete an Identity Certificate Export an Identity CertificateExport Identity Certificate Fields 33-9Installing Identity Certificates Generate Certificate Signing RequestGenerate Certificate Signing Request Fields 33-10To install an Identity Certificate Code-Signer CertificatesTo Add the Identity Certificate 33-11Local Certificate Authority Show Code-Signer Certificate DetailsDelete a Code-Signer Certificate Import or Export a Code-Signer CertificateDefault Local CA Server Configurable ParametersDefaults 33-13Configuring the Local CA Sever 33-14More Local CA Configuration Options 33-1533-16 Deleting the Local CA Server 33-17Manage User Certificates Manage User DatabaseRevoking a Local CA Certificate Unrevoking a Local CA CertificateEdit a Local CA User Delete a Local CA UserAllow Enrollment Email OTP33-20
Top Page Image Contents