1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Digital Certificates
Information About Digital Certificates
The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint
are cached for a configurable amount of time for each trustpoint.
When the ASA has cached a CRL for longer than the amount of time it is configured to cache CRLs, the
ASA considers the CRL too old to be reliable, or “stale.” The ASA tries to retrieve a newer version of
the CRL the next time that a certificate authentication requires a check of the stale CRL.
The ASA caches CRLs for an amount of time determined by the following two factors:
•
The number of minutes specified with the
cache-time
command. The default value is 60 minutes.
•
The NextUpdate field in the CRLs retrieved, which may be absent from CRLs. You control whether
the ASA requires and uses the NextUpdate field with the
enforcenextupdate
command.
The ASA uses these two factors in the following ways:
•
If the NextUpdate field is not required, the ASA marks CRLs as stale after the length of time defined
by the
cache-time
command.
•
If the NextUpdate field is required, the ASA marks CRLs as stale at the sooner of the two times
specified by the
cache-time
command and the NextUpdate field. For example, if the
cache-time
command is set to 100 minutes and the NextUpdate field specifies that the next update is 70 minutes
away, the ASA marks CRLs as stale in 70 minutes.
If the ASA has insufficient memory to store all CRLs cached for a given trustpoint, it deletes the least
recently used CRL to make room for a newly retrieved CRL.
OCSP
OCSP provides the ASA with a way of determining whether a certificate that is within its valid time
range has been revoked by the issuing CA. OCSP configuration is part of trustpoint configuration.
OCSP localizes certificate status on a validation authority (an OCSP server, also called the
responder
)
which the ASA queries for the status of a specific certificate. This method provides better scalability and
more up-to-date revocation status than does CRL checking, and helps organizations with large PKI
installations deploy and expand secure networks.
Note
The ASA allows a five-second time skew for OCSP responses.
You can configure the ASA to make OCSP checks mandatory when authenticating a certificate by using
the
revocation-check ocsp
command. You can also make the OCSP check optional by using the
revocation-check ocsp none
command, which allows the certificate authentication to succeed when the
validation authority is unavailable to provide updated OCSP data.
OCSP provides three ways to define the OCSP server URL. The ASA uses these servers in the following
order:
1.
The OCSP URL defined in a match certificate override rule by using the
match certificate
command).
2.
The OCSP URL configured by using the
ocsp url
command.
3.
The AIA field of the client certificate.
Note
To configure a trustpoint to validate a self-signed OCSP responder certificate, you import the self-signed
responder certificate into its own trustpoint as a trusted CA certificate. Then you configure the
match
certificate
command in the client certificate validating trustpoint to use the trustpoint that includes the
self-signed OCSP responder certificate to validate the responder certificate. Use the same procedure for
Summary of Contents for 5505 - ASA Firewall Edition Bundle
Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...
Page 61: ...P A R T 1 Getting Started with the ASA ...
Page 62: ......
Page 219: ...P A R T 2 Configuring High Availability and Scalability ...
Page 220: ......
Page 403: ...P A R T 2 Configuring Interfaces ...
Page 404: ......
Page 499: ...P A R T 2 Configuring Basic Settings ...
Page 500: ......
Page 533: ...P A R T 2 Configuring Objects and Access Lists ...
Page 534: ......
Page 601: ...P A R T 2 Configuring IP Routing ...
Page 602: ......
Page 745: ...P A R T 2 Configuring Network Address Translation ...
Page 746: ......
Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...
Page 846: ......
Page 981: ...P A R T 2 Configuring Access Control ...
Page 982: ......
Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...
Page 1062: ......
Page 1093: ...P A R T 2 Configuring Application Inspection ...
Page 1094: ......
Page 1191: ...P A R T 2 Configuring Unified Communications ...
Page 1192: ......
Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...
Page 1334: ......
Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...
Page 1380: ......
Page 1475: ...P A R T 2 Configuring Modules ...
Page 1476: ......
Page 1549: ...P A R T 2 Configuring VPN ...
Page 1550: ......
Page 1965: ...P A R T 2 Configuring Logging SNMP and Smart Call Home ...
Page 1966: ......
Page 2059: ...P A R T 2 System Administration ...
Page 2060: ......
Page 2098: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Viewing the Coredump ...
Page 2099: ...P A R T 2 Reference ...
Page 2100: ......