Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures page 39

4.6.4.5
Configuring a Revocation Mechanism for PKI Certificate Status
Checking
Perform this task to set up the certificate revocation mechanism--CRLs or OCSP--that is used
to check the status of certificates in a PKI.
Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the
revocation check) that is to be used to ensure that the certificate of a peer has not been
revoked. For multiple methods, the order in which the methods are applied is determined by the
order specified via this command.
If the TOE does not have the applicable CRL and is unable to obtain one, or if the OCSP server
returns an error, the TOE will reject the peer's certificate--unless an administrator includes the
'none' keyword in your configuration. If the 'none' keyword is configured, a revocation check
will not be performed and the certificate will always be accepted.
When using OCSP, nonces, unique identifiers for OCSP requests, are sent by default during
peer communications with a OCSP server. The use of nonces offers a more secure and reliable
communication channel between the peer and OCSP server. If the OCSP server does not support
nonces, an authorized administrator may disable the sending of nonces.
Note: The TOE supports use of OCSP only when using RSA certs and not when using ECDSA
certificates.
4.6.4.6
Manually Overriding the OCSP Server Setting in a Certificate
Administrators can override the OCSP server setting specified in the Authority Information
Access (AIA) field of the client certificate or set by the issuing the ocsp url command. One or
more OCSP servers may be manually specified, either per client certificate or per group of client
certificates by the match certificate override ocsp command. The match certificate override
ocspcommand overrides the client certificate AIA field or the ocsp urlcommand setting if a client
certificate is successfully matched to a certificate map during the revocation check
4.6.4.7
Configuring Certificate Chain Validation
Perform this task to configure the processing level for the certificate chain path of peer
certificates.
Prerequisites:
 The device must be enrolled in your PKI hierarchy.
 The appropriate key pair must be associated with the certificate.
1. Enter configure terminal mode:
TOE-common-criteria# configure terminal
2. Set the crypto pki trustpoint name:
TOE-common-criteria(config)# crypto pki trustpoint ca-sub1
3. Configure the level to which a certificate chain is processed on all certificates including
subordinate CA certificates using the chain-validation [{stop | continue} [parent-
trustpoint]] command:
TOE-common-criteria(ca-trustpoint)# chain-validation continue ca-sub1
Page 39 of 72