Cisco Systems OL-24201-01 manual Certificate Revocation, Rules Relating to Textual Attributes

Appendix B Authentication in ACS 5.3

Certificate Attributes

Rules Relating to Textual Attributes

ACS collects client certificate textual attributes and places them in the ACS context dictionary. ACS can apply any rule based policy on these attributes as with any rule attributes in ACS.

The attribute that can be used for rule verification are:

•Subject's CN attribute

•Subject's O attribute (Organization)

•Subject's OU attribute (Organization Unit)

•Subject's L attribute (Location)

•Subject's C attribute (Country)

•Subject's ST attribute (State Province)

•Subject's E attribute (eMail)

•Subject's SN attribute (Subject Serial Number)

•SAN (Subject Alternative Name)

•Subject

•SAN—Email

•SAN—DNS

•SAN—otherName

Certificate Revocation

Every client certificate that ACS receives is verified with a Certificate Revocation List (CRL) according to a policy that is defined.

The CRL mechanism verifies whether or not you can still rely on a client certificate. This is done by checking the serial number of the certificate, and that of each member of the corresponding certificate chain, against a list of certificates that are known to have been revoked.

Possible reasons for revocation of a certificate include suspicion that the associated private key has been compromised or the realization that the certificate was issued improperly. If either of these conditions exist, the certificate is rejected.

ACS supports a static-CRL that contains a list of URLs used to acquire the CRL files that are configured in ACS database.

Note ACS does not support delta CRLs in certificate revocation validation.

You can configure a set of URLs used for CRL update for each trusted CA certificate,. By default, when adding a CA certificate, ACS automatically sets all the URLs stored in the certificate crlDistributionPoint as the initial static CRL for that CA. In most cases, the crlDistributionPoint is used to point to the CRL location used to revoke the CA certificate, but you can edit the URL to point to the CRL file issued by this CA. You can only configure a single HTTP based URL for each CA.

You can configure the parameters for each CA, which will apply to all the URLs that are configured to the CA. ACS supports two download modes, one for periodic download, and the other for downloading the next CRL update just before the previous is about to expire.

•For the periodic download, you can define the download periods.