User Guide for Cisco Secure Access Control System 5.4
Chapter8 Managing Users and I dentity Stores
Configuring CA Certificates
Editing a Certificate Authority and Configuring Certificate Revocation Lists
Use this page to edit a trusted CA (Certificate Authority) certificate.
Step1 Select Users and Identity Stores > Certificate Authorities.
The Trust Certificate page appears with a list of configured certificate s.
Step2 Click the name that you want to modify, or check the check box for t he Name, and click Edit.
Complete the fields in the Edit Trust Certificate List Properties Page as described in Table 8- 23:
When ACS delays the CA CRL, CA is retained on the local file system. The CA is not refreshed until
you resubmit it.
By default ACS will fail all user certificates of a CA for which the CRL has expired.
If CA is resubmitted, the following error is shown:
12514 EAP-TLS failed SSL/TLS handshake.
This is because of the unknown CA.
If CA is not resubmitted, the following error is shown:
12515 EAP-TLS failed SSL/TLS
This is because of the expired CRL.
If you choose Ignore CRL Expiration, authentication wi ll fail for revoked certificates and successful for
non-revoked certificates.
Table8-23 Edit Certificate Authority Properties Page
Option Description
Friendly Name The name that is associated with the certificate.
Description (Optional) A brief description of the CA certificate.
Issued To Display only. The entity to which the certificate is issued. The name that appears is
from the certificate subject.
Issued By Display only. The certification authority that issued the certificate.
Vali d f rom Display only. The start date of the certificate’s validity. An X509 certificate is valid
only from the start date to the end date (inclusive).
Valid To (Expiration) Display only. The last date of the certificate’s validity.
Serial Number Display only. The serial number of the certificate.
Description Description of the certificate.
Trust for client with EAP-TLS Check this box so that ACS will use the trust list for the TLS related EAP protocols.
Certificate Status Validation
OCSP Configuration Use this section to configure the OCSP service.
Validate against OCSP service Check this box and select the OCSP service from the drop-down list to validate the
requests against the selected the OCSP service.
Reject the request if certificate status
could not be determined by OCSP
Check this box to reject the request if the certificate status could not be determined by
the OCSP service.
Certificate Revocation List Configuration Use this section to configure the CRL.
Download CRL Check this box to download the CRL.