Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
44-15
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 44 Configuring Digital Certificates
Configuring CA Certificate Authentication
Configuring Advanced CRL and OCSP Settings
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate
before this time period expires; for example, because of security concerns or a change of name or
association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking
forces the ASA to check that the CA has not revoked the certificate being verified. The ASA supports
two methods of checking revocation status: CRL and OCSP.
To configure additional CRL and OCSP settings, perform the following steps:
Step 1 In the ASDM application window, choose Configuration > Site-to-Site VPN > Certificate
Management > CA Certificates > Add to display the Install Certificates dialog box. Then click More
Options.
Step 2 In the Configuration Options for CA Certificates pane, click the Advanced tab.
Step 3 In the CRL Options area, enter the number of minutes between cache refreshes. The default is 60
minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly,
the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies
by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would
exceed its storage limits, the ASA removes the least recently used CRL until more space becomes
available.
Step 4 Check the Enforce next CRL update check box to require valid CRLs to have a Next Update value that
has not expired. Uncheck the Enforce next CRL update check box to let valid CRLs with no Next
Update value or a Next Update value that has expired.
Step 5 In the OCSP Options area, enter the URL for the OCSP server. The ASA uses OCSP servers according
to the following order:
1. OCSP URL in a match certificate override rule
2. OCSP URL configured in the selected OCSP Options attribute
3. AIA field of a remote user certificate
Step 6 By default, the Disable nonce extension check box is checked, which cryptographically binds requests
with responses to avoid replay attacks. This process works by matching the extension in the request to
that in the response, ensuring that they are the same. Uncheck the Disable nonce extension check box
if the OCSP server you are using sends pregenerated responses that do not include this matching nonce
extension.
Step 7 In the Validation Policy area, choose one of the following options:
Click the SSL radio button or the IPsec radio button to restrict the type of remote session that this
CA can be used to validate.
Click the SSL and IPsec radio buttons to let the CA validate both types of sessions.
Step 8 In the Other Options area, choose one of the following options:
Check the Accept certificates issued by this CA check box to indicate that the ASA should accept
certificates from the specified CA.
Check the Accept certificates issued by the subordinate CAs of this CA check box to indicate
that the ASA should accept certificates from the subordinate CA.
Step 9 Click OK to close this tab, and then click Apply to save your configuration changes.