Field
Description
Usage tips
Client
certificate-
based
security
Controls the level of security required
to allow client systems (typically web
browsers) to communicate with the
VCS over HTTPS.
Not required
: the client system does
not have to present any form of
certificate.
Certificate validation
: the client
system must present a valid
certificate that has been signed by a
trusted certificate authority (CA). Note
that a restart is required if you are
changing from
Not required
to
Certificate validation
.
Certificate-based authentication
: the
client system must present a valid
certificate that has been signed by a
trusted CA and contains the client's
authentication credentials.
Default:
Not required
Important
:
Enabling
Certificate validation
means that your
browser (the client system) can use the VCS web
interface only if it has a valid (in date and not revoked
by a CRL) client certificate that is signed by a CA in the
VCS's trusted CA certificate list.
Ensure your browser has a valid client certificate
before enabling this feature. The procedure for
uploading a certificate to your browser may vary
depending on the browser type and you may need to
restart your browser for the certificate to take effect.
You can upload CA certificates on the
Managing the
trusted CA certificate list [p.285]
page, and test client
certificates on the
Testing client certificates [p.292]
page.
Enabling
Certificate-based authentication
means that
the standard login mechanism is no longer available.
You can log in only if your browser certificate is valid
and the credentials it provides have the appropriate
authorization levels. You can configure how the VCS
extracts credentials from the browser certificate on the
Certificate-based authentication configuration
page.
This setting does not affect client verification of the
VCS's server certificate.
Certificate
revocation list
(CRL)
checking
Specifies whether HTTPS client
certificates are checked against
certificate revocation lists (CRLs).
None
: no CRL checking is performed.
Peer
: only the CRL associated with
the CA that issued the client's
certificate is checked.
All
: all CRLs in the trusted certificate
chain of the CA that issued the
client's certificate are checked.
Default:
All
Only applies if
Client certificate-based security
is
enabled.
CRL
inaccessibility
fallback
behavior
Controls the revocation checking
behavior if the revocation status
cannot be established, for example if
the revocation source cannot be
contacted.
Treat as revoked
: treat the certificate
as revoked (and thus do not allow the
TLS connection).
Treat as not revoked
: treat the
certificate as not revoked.
Default:
Treat as not revoked
Only applies if
Client certificate-based security
is
enabled.
Cisco VCS Administrator Guide (X8.1.1)
Page 42 of 507
Network and system settings
Network services