Cisco Systems OL-24201-01 Certificate Revocation

B-33

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

Certificate Attributes

ACS collects client certificate textual attributes and places them in the ACS context dictionary. ACS can

apply any rule based policy on these attributes as with any rule attributes in ACS.

The attribute that can be used for rule verification are:

•Subject's CN attribute

•Subject's O attribute (Organization)

•Subject's OU attribute (Organization Unit)

•Subject's L attribute (Location)

•Subject's C attribute (Country)

•Subject's ST attribute (State Province)

•Subject's E attribute (eMail)

•Subject's SN attribute (Subject Serial Number)

•SAN (Subject Alternative Name)

•Subject

•SAN—Email

•SAN—DNS

•SAN—otherName

Certificate Revocation

Every client certificate that ACS receives is verified with a Certificate Revocation List (CRL) according

to a policy that is defined.

The CRL mechanism verifies whether or not you can still rely on a client certificate. This is done by

checking the serial number of the certificate, and that of each member of the corresponding certificate

chain, against a list of certificates that are known to have been revoked.

Possible reasons for revocation of a certificate include suspicion that the associated private key has been

compromised or the realization that the certificate was issued improperly. If either of these conditions

exist, the certificate is rejected.

ACS supports a static-CRL that contains a list of URLs used to acquire the CRL files that are configured

in ACS database.

Note ACS does not support delta CRLs in certificate revocation validation.

You can configure a set of URLs used for CRL update for each trusted CA certificate,. By default, when

adding a CA certificate, ACS automatically sets all the URLs stored in the certificate

crlDistributionPoint as the initial static CRL for that CA. In most cases, the crlDistributionPoint is used

to point to the CRL location used to revoke the CA certificate, but you can edit the URL to point to the

CRL file issued by this CA. You can only configure a single HTTP based URL for each CA.

You can configure the parameters for each CA, which will apply to all the URLs that are configured to

the CA. ACS supports two download modes, one for periodic download, and the other for downloading

the next CRL update just before the previous is about to expire.

•For the periodic download, you can define the download periods.