41-33
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Downloading CRLs
To make the CRL available for HTTP download on a given interface or port, perform the following steps:
Command Purpose
Step1 crypto ca server
Example:
hostname (config)# crypto ca server
Enters local ca server configuration mode. Allows
you to configure and manage a local CA.
Step2 publish-crl interface interface port portnumber
Example:
hostname (config-ca-server)# publish-crl outside 70
Opens a port on an interface to make the CRL
accessible from that interface.The specified interface
and port are used to listen for incoming requests for
the CRL. The interface and optional port selections
are as follows:
inside—Name of interface/GigabitEthernet0/1
management—Name of interface/
Management0/0
outside—Name of interface/GigabitEthernet0/0
Port numbers can range from 1-65535. TCP port
80 is the HTTP default port number.
Note If you do not specify this command, the CRL
is not accessible from the CDP location,
because this command is required to open an
interface to download the CRL file.
The CDP URL can be configured to use the IP
address of an interface, and the path of the CDP URL
and the filename can also be configured (for example,
http://10.10.10.100/user8/my_crl_file).
In this case, only the interface with that IP address
configured listens for CRL requests, and when a
request comes in, the ASA matches the path,
/user8/my_crl_file to the configured CDP URL.
When the path matches, the ASA returns the stored
CRL file.
Note The protocol must be HTTP, so the prefix
displayed is http://.