Cisco Systems OL-16647-01 manual Identity Certificates Authentication, 33-6

Page 6

Chapter 33 Configuring Certificates

Identity Certificates Authentication

To avoid having to retrieve the same CRL from a CA repeatedly, The security appliance can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the security appliance removes the least recently used CRL until more space becomes available.

Enforce next CRL update—Require valid CRLs to have a Next Update value that has not expired. Clearing the box allows valid CRLs with no Next Update value or a Next Update value that has expired.

OCSP Options

Server URL:—Enter the URL for the OCSP server. The security appliance uses OCSP servers in the following order:

1.OCSP URL in a match certificate override rule

2.OCSP URL configured in this OCSP Options attribute

3.AIA field of remote user certificate

Disable nonce extension—By default the OCSP request includes the nonce extension, which cryptographically binds requests with responses to avoid replay attacks. It works by matching the extension in the request to that in the response, ensuring that they are the same. Disable the nonce extension if the OCSP server you are using sends pre-generated responses that do not contain this matching nonce extension.

Validation Policy

Specify the type of client connections that can be validated by this CA—Click SSL or IPSec to restrict the type of remote session this CA can be used to validate, or click SSL and IPSec to let the CA validate both types of sessions.

Other Options

Accept certificates issued by this CA—Specify whether or not the security appliance should accept certificates from CA Name.

Accept certificates issued by the subordinate CAs of this CA

Identity Certificates Authentication

An Identity Certificate can be used to authenticate VPN access through the security appliance. Click the SSL Settings or the IPsec Connections links on the Identity Certificates panel for additional configuration information.

The Identity Certificates Authentication panel allows you to:

Add an Identity Certificate. See Add/Install an Identity Certificate.

Display details of an Identity Certificate. See Show Identity Certificate Details.

Delete an existing Identity Certificate. See Delete an Identity Certificate.

Export an existing Identity Certificate. See Export an Identity Certificate.

Install an Identity Certificate. See Installing Identity Certificates.

Enroll for a certificate with Entrust. See Generate

 

Cisco Security Appliance Command Line Configuration Guide

33-6

OL-16647-01

Page 5 Page 7
Image 6
Page 5 Page 7
Contents CA Certificates Fields CA Certificate AuthenticationA P T E R 33-1Single Context System Firewall Mode Security Context Multiple RoutedModes 33-2Request CRL Edit CA Certificate ConfigurationShow CA Certificate Details Delete a CA CertificateCRL Retrieval Policy Configuration Configuration Options for CA CertificatesRevocation Check Configuration 33-4Advanced Configuration Options 33-5Identity Certificates Authentication 33-6Add/Install an Identity Certificate Add Identity Certificate Fields33-7 Show Identity Certificate Details Certificate Subject DN Attributes33-8 Export Identity Certificate Fields Delete an Identity CertificateExport an Identity Certificate 33-9Generate Certificate Signing Request Fields Installing Identity CertificatesGenerate Certificate Signing Request 33-10To Add the Identity Certificate To install an Identity CertificateCode-Signer Certificates 33-11Delete a Code-Signer Certificate Local Certificate AuthorityShow Code-Signer Certificate Details Import or Export a Code-Signer CertificateDefaults Default Local CA ServerConfigurable Parameters 33-13Configuring the Local CA Sever 33-14More Local CA Configuration Options 33-1533-16 Deleting the Local CA Server 33-17Revoking a Local CA Certificate Manage User CertificatesManage User Database Unrevoking a Local CA CertificateAllow Enrollment Edit a Local CA UserDelete a Local CA User Email OTP33-20
Top Page Image Contents