Cisco ASA 5505 Configuration Manual page 732

Information About Digital Certificates
Trustpoints
Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or
identity pair. A trustpoint includes the identity of the CA, CA-specific configuration parameters, and an
association with one, enrolled identity certificate.
After you have defined a trustpoint, you can reference it by name in commands requiring that you specify
a CA. You can configure many trustpoints.
If an adaptive security appliance has multiple trustpoints that share the same CA, only one of these
Note
trustpoints sharing the CA can be used to validate user certificates. To control which trustpoint sharing
a CA is used for validation of user certificates issued by that CA, use the support-user-cert-validation
command.
For automatic enrollment, a trustpoint must be configured with an enrollment URL, and the CA that the
trustpoint represents must be available on the network and must support SCEP.
You can export and import the keypair and issued certificates associated with a trustpoint in PKCS12
format. This format is useful to manually duplicate a trustpoint configuration on a different adaptive
security appliance.
Revocation Checking
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate
before this time period expires; for example, because of security concerns or a change of name or
association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking
forces the adaptive security appliance to check that the CA has not revoked a certificate each time that
it uses the certificate for authentication.
When you enable revocation checking, the adaptive security appliance checks certificate revocation
status during the PKI certificate validation process, which can use either CRL checking, or OCSP, or
both. OCSP is only used when the first method returns an error (for example, that the server is
unavailable).
With CRL checking, the adaptive security appliance retrieves, parses, and caches CRLs, which provide
a complete list of revoked certificates. OCSP offers a more scalable method of checking revocation status
in that it localizes certificate status through a validation authority, which it queries for status of a specific
certificate.
CRLs
CRLs provide the adaptive security appliance with one way of determining whether a certificate that is
within its valid time range has been revoked by the issuing CA. CRL configuration is part of
configuration of a trustpoint.
You can configure the adaptive security appliance to make CRL checks mandatory when authenticating
a certificate by using the revocation-check crl command. You can also make the CRL check optional
by using the revocation-check crl none command, which allows the certificate authentication to
succeed when the CA is unavailable to provide updated CRL data.
The adaptive security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs
retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.
Cisco ASA 5500 Series Configuration Guide using ASDM
35-4
Chapter 35 Configuring Digital Certificates
OL-20339-01