8-74
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Configuring CA Certificates
Step3 Click Submit.
The Trust Certificate page appears with the edited certificat e.
The administrator has the rights to configure CRL and OCSP verification. If both CRL and OCSP
verification are configured at the same time, then ACS performs OCSP verification first. If it detects any
communication problems with either the primary or sec ondary servers, or if the verification returns the
status of a given certificate as unknown, then ACS moves on to perform the CRL validation.
Related Topics
User Certificate Authentication, pageB-6
Overview of EAP-TLS, page B-6
Deleting a Certificate Authority
Use this page to delete a trusted CA (Certificate Authority) certificate:
Step1 Select Users and Identity Stores > Certificate Authorities.
The Trust Certificate List page appears with a list of configured certificates.
Step2 Check one or more check boxes next to the certificates that you want to delete.
Step3 Click Delete.
Step4 Click Yes to confirm.
CRL Distribution URL Enter the CRL distribution URL. You can specify a URL that uses HTTP.
Retrieve CRL ACS attempts to download a CRL from the CA. Toggle the time settings for ACS to
retrieve a new CRL from the CA.
Automatically —Obtain the next update time from the CRL file. If unsuccessful,
ACS tries to retrieve the CRL periodically after the first failure until it succeeds.
Every—Determines the frequency between retrieval attempts. Enter the amount in
units of time.
If Download Failed Wait Enter the amount of time to attempt to retrieve the CRL, if the retrieval initially failed.
Bypass CRL Verification if CRL is
not Received
If unchecked, all the client requests that use the certificate that is signed by the
selected CA will be rejected until ACS receives the CRL file. When checked, the client
request may be accepted before the CRL is received.
Ignore CRL Expiration Check this box to check a certificate against an outdated CRL.
When checked, ACS continues to use the expired CRL and permits or rejects
EAP-TLS authentications according to the contents of the CRL.
When unchecked, ACS examines the expiration date of the CRL in the Next
Update field in the CRL file. If the CRL has expired, all authentications that use
the certificate that is signed by the selected CA are rejected.
Table8-23 Edit Certificate Authority Properties Page (continued)
Option Description