41-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring CRLs for a Trustpoint
To use mandatory or optional CRL checking during certificate authentication, you must configure CRLs
for each trustpoint. To configure CRLs for a trustpoint, perform the following steps:
Step17 serial-number
Example:
hostname/contexta(config-ca-trustpoint)# serial
number JMX1213L2A7
During enrollment, asks the CA to include the ASA
serial number in the certificate.
Step18 write memory
Example:
hostname/contexta(config)# write memory
Saves the running configuration.
Command Purpose
Command Purpose
Step1 crypto ca trustpoint trustpoint-name
Example:
hostname (config)# crypto ca trustpoint Main
Enters crypto ca trustpoint configuration mode for
the trustpoint whose CRL configuration you want to
modify.
Note Make sure that you have enabled CRLs
before entering this command. In addition,
the CRL must be available for authentication
to succeed.
Step2 crl configure
Example:
hostname (config-ca-trustpoint)# crl configure
Enters crl configuration mode for the current
trustpoint.
Tip To set all CRL configuration parameters to
default values, use the default command. At
any time during CRL configuration, reenter
this command to restart the procedure.
Step3 Do one of the following:
policy cdp
Example:
hostname (config-ca-crl)# policy cdp
Configures retrieval policy. CRLs are retrieved only
from the CRL distribution points specified in
authenticated certificates.
Note SCEP retrieval is not supported by
distribution points specified in certificates.
To continue, go to Step 5.
policy static
Example:
hostname (config-ca-crl)# policy static
Configures retrieval policy. CRLs are retrieved only
from URLs that you configure.
To continue, go to Step 4.