Cisco Systems OL-24201-01 manual Deleting a Certificate Authority

Option

Description

Certificate Revocation List Configuration

Use this section to configure the CRL.

Download CRL

Check this box to download the CRL.

CRL Distribution URL

Enter the CRL distribution URL. You can specify a URL that uses HTTP.

Retrieve CRL

ACS attempts to download a CRL from the CA. Toggle the time settings for ACS to

retrieve a new CRL from the CA.

• Automatically —Obtain the next update time from the CRL file. If unsuccessful,

ACS tries to retrieve the CRL periodically after the first failure until it succeeds.

• Every—Determines the frequency between retrieval attempts. Enter the amount in

units of time.

If Download Failed Wait

Enter the amount of time to attempt to retrieve the CRL, if the retrieval initially failed.

Bypass CRL Verification if CRL is

If unchecked, all the client requests that use the certificate that is signed by the

not Received

selected CA will be rejected until ACS receives the CRL file. When checked, the client

request may be accepted before the CRL is received.

Ignore CRL Expiration

Check this box to check a certificate against an outdated CRL.

• When checked, ACS continues to use the expired CRL and permits or rejects

EAP-TLS authentications according to the contents of the CRL.

• When unchecked, ACS examines the expiration date of the CRL in the Next

Update field in the CRL file. If the CRL has expired, all authentications that use

the certificate that is signed by the selected CA are rejected.

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

8-71