39-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 39 Configuring Certificates
Certificate Configuration
Configuring CRLs for a Trustpoint
If you want to use mandatory or optional CRL checking during certificate authentication, you must
perform CRL configuration for each trustpoint. For more information about CRLs, see the “About
CRLs” section on page 39-3.
To configure CRLs for a trustpoint, perform the following steps:
Step 1 Enter Crypto ca trustpoint configuration mode for the trustpoint whose CRL configuration you want to
modify. To do so, enter the crypto ca trustpoint command.
Step 2 If you have not already enabled CRLs, you can do so now by using the crl command with either the
required or optional keyword. If you specify the required keyword, certificate authentication with this
trustpoint cannot succeed if the CRL is unavailable.
Step 3 Enter the crl configure command.
hostname/contexta(config-ca-trustpoint)# crl configure
hostname/contexta(config-ca-crl)#
Upon entering this command, you enter the crl configuration mode for the current trustpoint.
Tip To set all CRL configuration options to their default values, use the default command. At any
time while performing CRL configuration, if you want to start over, enter this command and
restart this procedure.
Step 4 Configure the retrieval policy with the policy command. The following keywords for this command
determine the policy.
• cdp—CRLs are retrieved only from the CRL distribution points specified in authenticated
certificates.
Note SCEP retrieval is not supported by distribution points specified in certificates.
• static—CRLs are retrieved only from URLs you configure.
• both—CRLs are retrieved from CRL distribution points specified in authenticated certificates and
from URLs you configure.
Step 5 If you used the keywords static or both when you configured the CRL policy, you need to configure
URLs for CRL retrieval, using the url command. You can enter up to 5 URLs, ranked 1 through 5.
hostname/contexta(config-ca-crl)# url n URL
where n is the rank assigned to the URL. To remove a URL, use the no url n command.
Step 6 Configure the retrieval method with the protocol command. The following keywords for this command
determine the retrieval method.
• http—Specifies HTTP as the CRL retrieval method.
• ldap—Specifies LDAP as the CRL retrieval method.
• scep—Specifies SCEP as the CRL retrieval method.
Step 7 Configure how long the security appliance caches CRLs for the current trustpoint. To specify the number
of minutes the security appliance waits before considering a CRL stale, enter the following command.
hostname/contexta(config-ca-crl)# cache-time n
To Next Page
Loading...
Need help?
General