Cisco Preparative Procedures & Operational User Guide
© 2016 Cisco Systems, Inc. All rights reserved.
4.4.10 Configure Static CRL for a Trustpoint
Revoked certificates are maintained in the Certificate Revocation List (CRL). Use the following
procedure to configure your FXOS chassis to validate peer certificates using CRL information.
1) From the FXOS CLI, enter the security mode:
scope system
scope security
2) Enter the trustpoint mode:
scope trustpoint trustname
3) Enter the revoke mode:
scope revoke
4) Download the CRL file(s):
import crl protocol://user_id@CA_or_CRL_issuer_IP/tmp/DoDCA1CRL1.crl
5) (Optional) Show status for import process of CRL information:
show import-task detail
6) Set the certificate revocation method to CRL-only:
set certrevokemethod {crl}
You can configure your Certificate Revocation List (CRL) check mode to be either strict or relaxed in
IPSec and secure LDAP connections.
Dynamic (non-static) CRL information is harvested from the CDP information of an X.509 certificate,
and indicates dynamic CRL information. Static CRL information is downloaded by system administration
manually, and indicates local CRL information in the FXOS system. The dynamic CRL information is
only processed against the current processing certificate in the certificate chain. The static CRL is applied
to the whole peer certificate chain.
For steps to enable or disable certificate revocation checks for your secure LDAP and IPSec connections,
see Configure IPSec Secure Channel and Creating an LDAP Provider.
The following tables describe the LDAP and IPSec connection results, depending on your certificate
revocation list check setting and certificate validation.
Table 3 Certificate Revocation Check Mode set to Strict without a local static CRL
Checking peer’s certificate chain
Full certificate chain is required
Full certificate chain is required
Checking CDP in peer’s
certificate chain
Full certificate chain is required
Full certificate chain is required
CDP checking for Root CA
certificate of the peer’s certificate
chain
Any certificate validation failure
Connection fails with syslog
Connection fails with syslog
To Next Page
Loading...
Need help?
General