About Ocsp 39+\4 - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Public Key Cryptography
When the security appliance has cached a CRL for more than the length of time it is configured to cache
CRLs, the security appliance considers the CRL too old to be reliable, or "stale". The security appliance
attempts to retrieve a newer version of the CRL the next time a certificate authentication requires
checking the stale CRL.
The security appliance caches CRLs for a length of time determined by the following two factors:
•
•
The security appliance uses these two factors as follows:
•
•
If the security appliance has insufficient memory to store all CRLs cached for a given trustpoint, it
deletes the least recently used CRL to make room for a newly retrieved CRL.
For information about configuring CRL behavior for a trustpoint, see the
Trustpoint" section on page
About OCSP
Online Certificate Status Protocol provides the security appliance with a means of determining whether
a certificate that is within its valid time range has been revoked by its issuing CA. OCSP configuration
is a part of the configuration of a trustpoint.
OCSP localizes certificate status on a Validation Authority (an OCSP server, also called the responder)
which the security appliance queries for the status of a specific certificate. It provides better scalability
and more up-to-date revocation status than does CRL checking. It helps organizations with large PKI
installations deploy and expand secure networks.
You can configure the security appliance to make OCSP checks mandatory when authenticating a
certificate (revocation-check ocsp command). You can also make the OCSP check optional by adding
the none argument (revocation-check ocsp none command), which allows the certificate authentication
to succeed when the Validation Authority is unavailable to provide updated OCSP data.
Our implementation of OCSp provides three ways to define the OCSP server URL. The security
appliance uses these servers in the following order:
1.
2.
3.
To configure a trustpoint to validate a self-signed OCSP responder certificate, you import the self-signed
Note
responder certificate into its own trustpoint as a trusted CA certificate. Then you configure the match
certificate command in the client certificate validating trustpoint to use the trustpoint that contains the
self-signed OCSP responder certificate to validate the responder certificate. The same applies for
configuring validating responder certificates external to the validation path of the client certificate.
Cisco Security Appliance Command Line Configuration Guide
39-4
The number of minutes specified with the cache-time command. The default value is 60 minutes.
The NextUpdate field in the CRLs retrieved, which may be absent from CRLs. You control whether
the security appliance requires and uses the NextUpdate field with the enforcenextupdate
command.
If the NextUpdate field is not required, the security appliance marks CRLs as stale after the length
of time defined by the cache-time command.
If the NextUpdate field is required, the security appliance marks CRLs as stale at the sooner of the
two times specified by the cache-time command and the NextUpdate field. For example, if the
cache-time command is set to 100 minutes and the NextUpdate field specifies that the next update
is 70 minutes away, the security appliance marks CRLs as stale in 70 minutes.
39-13.
The OCSP URL defined in a match certificate override rule (match certificate command).
The OCSP URL configured in the ocsp url command.
The AIA field of the client certificate.
Chapter 39
Configuring Certificates
"Configuring CRLs for a
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
