Cisco Systems CL-28826-01

10-18

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 10 Managing the Security Manager Server

Certificate Trust Management

Certificate Trust Management Feature

The certificate trust management feature in Security Manager has these characteristics:

•It behaves like a browser. It imparts trust to what you, as the user, consciously trust.

•It allows you to view the certificate and use your discretion in accepting it.

•It proactively validates a certificate to help you judge whether to accept or reject it. For example, it

checks to see if a certificate is self-signed (not issued by a trusted Certificate Authority) and to see

if it is expired, not yet valid, or revoked.

•After you accept a certificate, it stores that certificate on your Security Manager server.

•It provides transparency and control: You can retrieve and add a certificate, view a certificate, and

remove a stored certificate.

•During communication with Cisco.com, it compares the live server certificate with the stored

certificate and proceeds only upon a complete match. The complete certificate chain, not just the

root certificate, is compared for a match. If there is a mismatch, the current operation is aborted until

you view and accept the new certificate.

•It performs daily checks of your Security Manager server for certificate revocation and validity, and

it removes any revoked or invalid certificates from your server. It does this by live contact with the

CRL distribution points/URL present in the certificate. The default fixed schedule is for this daily

check to be performed at 2:00 a.m.

Download Requirements

To download images from Cisco.com, you must retrieve, view, and accept both the latest image

meta-data locator certificate and the latest certificate URL of the download site. The Security Manager

interface has messages to assist you in key locations, and detailed documentation is available by

referring to Image Manager Page, page 11-28 and Edit Update Server Settings Dialog Box, page 11-34.

Troubleshooting

During daily checks for certificate revocation and validity, the CRL revocation list is not stored on your

Security Manager server. For that reason, if connectivity is lost, the daily checks fail to detect any

possible certificate revocations. This problem will be solved after connectivity is restored.

If failure occurs while downloading ASA images or checking for IPS update packages, the most probable

causes are the following:

•Site’s certificate is not found on your Security Manager server

•There is a mismatch between the certificate received from the site and the stored certificate

•The site’s certificate has expired

In all of these three cases listed above, the operation is aborted, and a message gives the cause of the

error and the URL of the failed site. To recover, navigate to the user interface of the certificate feature

(Tools > Security Manager Administration... > Image Manager or Tools > Security Manager

Administration... > IPS Updates > [Update Server group] > Edit Settings); then retrieve, view, and accept

the new certificate from the site and re-try the download.

If failure occurs while performing a check for IPS updates, verify that you have accepted both the

certificate of the Cisco.com site used to obtain the meta-data information for IPS packages and the

certificate of the actual download site of the IPS packages. Cisco recommends that you always configure

email for notification of the job execution status. Then you can view the recommended actions in the

email for recovering from the error. Copy the failed download URL from the email message to retrieve

the certificate.