Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Advanced CRL and OCSP Settings

44-15

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter44 Configuring Digital Certificates

Configuring CA Certificate Authentication

Configuring Advanced CRL and OCSP Settings

When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate

before this time period expires; for example, because of security concerns or a change of name or

association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking

forces the ASA to check that the CA has not revoked the certificate being verified. The ASA supports

two methods of checking revocation status: CRL and OCSP.

To configure additional CRL and OCSP settings, perform the following steps:

Step1 In the ASDM application window, choose Configuration > Site-to-Site VPN > Certificate

Management > CA Certificates > Add to display the Install Certificates dialog box. Then click More

Options.

Step2 In the Configuration Options for CA Certificates pane, click the Advanced tab.

Step3 In the CRL Options area, enter the number of minutes between cache refreshes. The default is 60

minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly,

the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies

by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would

exceed its storage limits, the ASA removes the least recently used CRL until more space becomes

available.

Step4 Check the Enforce next CRL update check box to require valid CRLs to have a Next Update value that

has not expired. Uncheck the Enforce next CRL update check box to let valid CRLs with no Next

Update value or a Next Update value that has expired.

Step5 In the OCSP Options area, enter the URL for the OCSP server. The ASA uses OCSP servers according

to the following order:

1. OCSP URL in a match certificate override rule

2. OCSP URL configured in the selected OCSP Options attribute

3. AIA field of a remote user certificate

Step6 By default, the Disable nonce extension check box is checked, which cryptographically binds requests

with responses to avoid replay attacks. This process works by matching the extension in the request to

that in the response, ensuring that they are the same. Uncheck the Disable nonce extension check box

if the OCSP server you are using sends pregenerated responses that do not include this matching nonce

extension.

Step7 In the Validation Policy area, choose one of the following options:

•Click the SSL radio button or the IPsec radio button to restrict the type of remote session that this

CA can be used to validate.

•Click the SSL and IPsec radio buttons to let the CA validate both types of sessions.

Step8 In the Other Options area, choose one of the following options:

•Check the Accept certificates issued by this CA check box to indicate that the ASA should accept

certificates from the specified CA.

•Check the Accept certificates issued by the subordinate CAs of this CA check box to indicate

that the ASA should accept certificates from the subordinate CA.

Step9 Click OK to close this tab, and then click Apply to save your configuration changes.

Cisco Systems Configuring Advanced CRL and OCSP Settings