Cisco Systems OL-16647-01 manual Advanced Configuration Options, 33-5

Page 5

Chapter 33 Configuring Certificates

CA Certificate Authentication

CRL Retrieval Method Configuration

The CRL Retrieval Method panel lets you select the method to be used for CRL retrieval.

Click the Enable Lightweight Directory Access Protocol (LDAP) button to specify LDAP CRL retrieval. With LDAP, CRL retrieval starts an LDAP session by connecting to a named LDAP server, accessed by password. The connection is on TCP port 389 by default. Enter the specific LDAP parameters required:

Name:

Password:

Confirm Password:

Default Server: (server name)

Default Port: 389 (default)

HTTP - Click the Enable HTTP button to select HTTP CRL retrieval

SCEP - Click the Enable Simple Certificate Enrollment Protocol (SCEP) to select SCEP for CRL retrieval.

OCSP Rules Configuration

The Online Certificate Status Protocol (OCSP) panel lets you configure OCSP rules for obtaining revocation status of an X.509 digital certificate.

OCSP Rules Fields

Certificate Map—Displays the name of the certificate map to match to this OCSP rule. Certificate maps match user permissions to specific fields in a certificate. You must configure the certificate map before you configure OCSP rules.

Certificate—Displays the name of the CA the security appliance uses to validate responder certificates.

Index—Displays the priority number for the rule. The security appliance examines OCSP rules in priority order, and applies the first one that matches.

URL—Specifies the URL for the OCSP server for this certificate.

Add—Click to add a new OCSP rule.

Edit—Click to edit an existing OCSP rule.

Delete—Click to delete an OCSP rule.

Advanced Configuration Options

The Advanced tab lets you specify CRL and OCSP options. When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, due to security concerns or a change of name or association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking forces the security appliance to check that the CA has not revoked the certificate being verified.

The security appliance supports two methods of checking revocation status: CRL and OCSP.

Fields

CRL Options

Cache Refresh Time—Specify the number of minutes between cache refreshes. The default number of minutes is 60. The range is 1-1440.

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

OL-16647-01

 

 

33-5

 

 

 

 

 

Page 4 Page 6
Image 5
Page 4 Page 6
Contents A P T E R CA Certificate AuthenticationCA Certificates Fields 33-1Modes Firewall Mode Security Context Multiple RoutedSingle Context System 33-2Show CA Certificate Details Edit CA Certificate ConfigurationRequest CRL Delete a CA CertificateRevocation Check Configuration Configuration Options for CA CertificatesCRL Retrieval Policy Configuration 33-433-5 Advanced Configuration Options33-6 Identity Certificates Authentication33-7 Add/Install an Identity CertificateAdd Identity Certificate Fields 33-8 Show Identity Certificate DetailsCertificate Subject DN Attributes Export an Identity Certificate Delete an Identity CertificateExport Identity Certificate Fields 33-9Generate Certificate Signing Request Installing Identity CertificatesGenerate Certificate Signing Request Fields 33-10Code-Signer Certificates To install an Identity CertificateTo Add the Identity Certificate 33-11Show Code-Signer Certificate Details Local Certificate AuthorityDelete a Code-Signer Certificate Import or Export a Code-Signer CertificateConfigurable Parameters Default Local CA ServerDefaults 33-1333-14 Configuring the Local CA Sever33-15 More Local CA Configuration Options33-16 33-17 Deleting the Local CA ServerManage User Database Manage User CertificatesRevoking a Local CA Certificate Unrevoking a Local CA CertificateDelete a Local CA User Edit a Local CA UserAllow Enrollment Email OTP33-20
Top Page Image Contents