Cisco Systems OL-16647-01 manual Configuration Options for CA Certificates, 33-4

Chapter 33 Configuring Certificates

CA Certificate Authentication

Configuration Options for CA Certificates

Additional configuration options are available, whether you are adding a new CA certificate with the Add button or modifying an existing CA certificate with the Edit button.

The following panels are the tab-selectable displays that address CA certificate configuration specifics. Each tabbed display is summarized in the following list:

Revocation Check —The Revocation Check panel lets you chose or reject revocation checking, specify a method of revocation checking (CRL or OCSP) and allows you to ignore revocation-checking errors when validating a certificate. For details of the Revocation Check panel, see Revocation Check Configuration.

CRL Retrieval Policy—The CRL Retrieval Policy panel allows you to configure use of the CRL distribution point and/or static CRL URLs, with capabilities to add, edit, and delete status CRL URLs. For details, see CRL Retrieval Policy Configuration.

CRL Retrieval Method—The CRL Retrieval Method panel allows you to chose Lightweight Directory Access Protocol (LDAP), HTTP, or Simple Certificate Enrollment Protocol (SCEP) as the method to be used for CRL retrieval. For the LDAP method, you can configure the LDAP parameters and security. See CRL Retrieval Method Configuration.

OCSP Rules—Online Certificate Status Protocol (OCSP) is used for obtaining revocation status of an X.509 digital certificate and is an alternative to certificate revocation lists (CRL). For details, see OSCP Rules Configuration. Refer to OCSP Rules Configuration.

Advanced—The Advanced panel allows you to set up CRL update parameters, OCSP parameters, and certificate acceptance and validation parameters. See Advanced Configuration Options.

Revocation Check Configuration

With the Revocation Check Edit Option panel, you can specify degrees of user certificate revocation checking as follows:

No Revocation Checking - Click the Do not check certificates for revocation button to disable revocation checking of certificates.

Revocation Checking Method(s) - Click the Check certificates for revocation to select one or more revocation checking methods. Available methods display on the left; use the Add button to move a method to the right.

The methods you select are implemented in the order in which you add them. If a method detects an error, subsequent revocation checking methods activate.

Revocation Checking Override - Click the Consider certificate valid if revocation checking returns errors button to ignore revocation-checking errors.

CRL Retrieval Policy Configuration

With the CRL Retrieval Policy panel, you specify either the CRL Distribution Point, or a static go-to location for the CRL revocation checking.

•Certificate CRL Distribution Point - Click the Use CRL Distribution Point from the certificate button to direct revocation checking to the CRL DP included on the certificate being checked.

•Static URL - Click the Use Static URLs configured below button to list specific URLs to be used for CRL Retrieval. The URLs you select are implemented in the order in which you add them. If a specified URL errors, subsequent URLs are accessed in order.

://—Type the location that distributes the CRLs.