39-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 39 Configuring Certificates
Certificate Configuration
The OCSP server (responder) certificate typically signs the OCSP response. After receiving the
response, the security appliance tries to verify the responder certificate. The CA normally sets the
lifetime of its OCSP responder certificate to a relatively short period to minimize the chance of it being
compromised.The CA typically also includes an ocsp-no-check extension in the responder certificate
indicating that this certificate does not need revocation status checking. But if this extension is not
present, the security appliance tries to check its revocation status using the same method specified in the
trustpoint. If the responder certificate is not verifiable, revocation checks fails. To avoid this possibility,
configure revocation-check none in the responder certificate validating trustpoint, while configuring
revocation-check ocsp for the client certificate.
Supported CA Servers
The security appliance supports the following CA servers:
• Cisco IOS CS
• Baltimore Technologies
• Entrust
• Microsoft Certificate Services
• Netscape CMS
• RSA Keon
• Ve ri S i g n
Certificate Configuration
This section describes how to configure the security appliance with certificates and other procedures
related to certificate use and management.
This section includes the following topics:
• Preparing for Certificates, page 39-5
• Configuring Key Pairs, page 39-6
• Configuring Trustpoints, page 39-7
• Obtaining Certificates, page 39-9
• Configuring CRLs for a Trustpoint, page 39-13
• Exporting and Importing Trustpoints, page 39-14
• Configuring CA Certificate Map Rules, page 39-15
Preparing for Certificates
Before you configure a security appliance with certificates, ensure that the security appliance is
configured properly to support certificates. An improperly configured security appliance can cause
enrollment to fail or for enrollment to request a certificate containing inaccurate information.
To Next Page
Loading...
Need help?
General