Advanced Configuration Options, 33-5 | Cisco Systems OL-16647-01

Chapter 33 Configuring Certificates

CA Certificate Authentication

CRL Retrieval Method Configuration

The CRL Retrieval Method panel lets you select the method to be used for CRL retrieval.

•Click the Enable Lightweight Directory Access Protocol (LDAP) button to specify LDAP CRL retrieval. With LDAP, CRL retrieval starts an LDAP session by connecting to a named LDAP server, accessed by password. The connection is on TCP port 389 by default. Enter the specific LDAP parameters required:

–Name:

–Password:

–Confirm Password:

–Default Server: (server name)

–Default Port: 389 (default)

•HTTP - Click the Enable HTTP button to select HTTP CRL retrieval

•SCEP - Click the Enable Simple Certificate Enrollment Protocol (SCEP) to select SCEP for CRL retrieval.

OCSP Rules Configuration

The Online Certificate Status Protocol (OCSP) panel lets you configure OCSP rules for obtaining revocation status of an X.509 digital certificate.

OCSP Rules Fields

•Certificate Map—Displays the name of the certificate map to match to this OCSP rule. Certificate maps match user permissions to specific fields in a certificate. You must configure the certificate map before you configure OCSP rules.

•Certificate—Displays the name of the CA the security appliance uses to validate responder certificates.

•Index—Displays the priority number for the rule. The security appliance examines OCSP rules in priority order, and applies the first one that matches.

•URL—Specifies the URL for the OCSP server for this certificate.

•Add—Click to add a new OCSP rule.

•Edit—Click to edit an existing OCSP rule.

•Delete—Click to delete an OCSP rule.