Manuals / Cisco Systems / Computer Equipment / Switch

Cisco Systems OL-16647-01 Publish CRL Interface and Port, CRL Lifetime, Database Storage Location

Models: OL-16647-01

1 20
Download 20 pages 26.31 Kb
Page 16
Image 16
Publish CRL Interface and Port:

Chapter 33 Configuring Certificates

Local Certificate Authority

Publish CRL Interface and Port:

To make the CRL available for HTTP download on a given interface or port. Select an interface from the pull-down list. The optional port option can be any port number in a range of 1-65535. TCP port 80 is the HTTP default port number.

The CDP URL can be configured to utilize the IP address of an interface, and the path of the CDP URL and the file name can be configured also. (Note that you cannot rename the CRL; it always has the fixed name, LOCAL-CA-SERVER.crl.)

For example, the CDP URL could be configured to be: http://10.10.10.100/user8/my_crl_file In this case only the interface with that IP address works, and, when the request comes in, the security appliance matches the path /user8/my_crl_file to the configured CDP URL. When the path matches, the security appliance returns the CRL file stored in storage. Note that the protocol must be http, so the prefix is http://.

CRL Lifetime

The Certificate Revocation List (CRL) Lifetime field specifies the length of time in hours that the CRL is valid. The default for the CA Certificate is six hours.

The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked, but if there are no revocation changes, the CRL is reissued once every CRL lifetime. You can force an immediate CRL update and list regeneration with the CRL Issue button on the Manage CA Certificates panel.

Database Storage Location

The Database Storage Location field allows you to specify a storage area for the Local CA configuration and data files. The security appliance accesses and implements user information, issued certificates, revocation lists, and so forth using a Local CA database.

That Local CA database resides can be configured to be on an off-box file system that is mounted and accessible to the security appliance. To specify an external file or share, enter the pathname to the external file or click Browse and search for the file.

Note Flash memory can store a database with 3500 users or less, but a database of more than 3500 users requires off-box storage.

Default Subject Name

The Default Subject Name (DN) field allows you to specify a default subject name to append to a username on issued certificates. The permitted DN attribute keywords are listed in the following list:

Default Subject-name-default DN Keywords

CN=

Common Name

 

SN = Surname

 

 

O =

Organization Name

 

 

 

L

=

Locality

 

 

 

C

=

Country

 

 

 

 

 

 

 

OU

=

Organization Unit

 

 

 

 

 

 

 

 

 

 

 

 

EA

=

E-mail Address

 

 

 

 

 

 

 

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

33-16

 

 

 

 

 

OL-16647-01

 

 

 

 

 

 

 

Page 15 Page 17
Page 16
Image 16
Cisco Systems OL-16647-01 Publish CRL Interface and Port, CRL Lifetime, Database Storage Location, Default Subject Name
Page 15 Page 17