Cisco Systems OL-16647-01 Manual

A SERVICE OF

next previous

33-5

Cisco Security Appliance Command Line Configuration Guide

OL-16647-01

Chapter 33 Configuring Certificates

CA Certificate Authentication

CRL Retrieval Method Configuration

The CRL Retrieval Method panel lets you select the method to be used for CRL retrieval.

• Click the Enable Lightweight Directory Access Protocol (LDAP) button to specify LDAP CRL

retrieval. With LDAP, CRL retrieval starts an LDAP session by connecting to a named LDAP server,

accessed by password. The connection is on TCP port 389 by default. Enter the specific LDAP

parameters required:

–

Name:

–

Password:

–

Confirm Password:

–

Default Server: (server name)

–

Default Port: 389 (default)

• HTTP - Click the Enable HTTP button to select HTTP CRL retrieval

• SCEP - Click the Enable Simple Certificate Enrollment Protocol (SCEP) to select SCEP for CRL

retrieval.

OCSP Rules Configuration

The Online Certificate Status Protocol (OCSP) panel lets you configure OCSP rules for obtaining

revocation status of an X.509 digital certificate.

OCSP Rules Fields

• Certificate Map—Displays the name of the certificate map to match to this OCSP rule. Certificate

maps match user permissions to specific fields in a certificate. You must configure the certificate

map before you configure OCSP rules.

• Certificate—Displays the name of the CA the security appliance uses to validate responder

certificates.

• Index—Displays the priority number for the rule. The security appliance examines OCSP rules in

priority order, and applies the first one that matches.

• URL—Specifies the URL for the OCSP server for this certificate.

• Add—Click to add a new OCSP rule.

• Edit—Click to edit an existing OCSP rule.

• Delete—Click to delete an OCSP rule.

Advanced Configuration Options

The Advanced tab lets you specify CRL and OCSP options. When a certificate is issued, it is valid for

a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example,

due to security concerns or a change of name or association. CAs periodically issue a signed list of

revoked certificates. Enabling revocation checking forces the security appliance to check that the CA has

not revoked the certificate being verified.

The security appliance supports two methods of checking revocation status: CRL and OCSP.

Fields

• CRL Options

–

Cache Refresh Time—Specify the number of minutes between cache refreshes. The default

number of minutes is 60. The range is 1-1440.