Cisco ASA 5505 Configuration Manual page 733

Chapter 35 Configuring Digital Certificates
When the adaptive security appliance has cached a CRL for longer than the amount of time it is
configured to cache CRLs, the adaptive security appliance considers the CRL too old to be reliable, or
"stale." The adaptive security appliance tries to retrieve a newer version of the CRL the next time that a
certificate authentication requires a check of the stale CRL.
The adaptive security appliance caches CRLs for an amount of time determined by the following two
factors:
•
•
The adaptive security appliance uses these two factors in the following ways:
•
•
If the adaptive security appliance has insufficient memory to store all CRLs cached for a given trustpoint,
it deletes the least recently used CRL to make room for a newly retrieved CRL.
OCSP
OCSP provides the adaptive security appliance with a way of determining whether a certificate that is
within its valid time range has been revoked by the issuing CA. OCSP configuration is part of trustpoint
configuration.
OCSP localizes certificate status on a validation authority (an OCSP server, also called the responder)
which the adaptive security appliance queries for the status of a specific certificate. This method
provides better scalability and more up-to-date revocation status than does CRL checking, and helps
organizations with large PKI installations deploy and expand secure networks.
Note The adaptive security appliance allows a five-second time skew for OCSP responses.
You can configure the adaptive security appliance to make OCSP checks mandatory when authenticating
a certificate by using the revocation-check ocsp command. You can also make the OCSP check optional
by using the revocation-check ocsp none command, which allows the certificate authentication to
succeed when the validation authority is unavailable to provide updated OCSP data.
OCSP provides three ways to define the OCSP server URL. The adaptive security appliance uses these
servers in the following order:
1.
2.
3.
OL-20339-01
The number of minutes specified with the cache-time command. The default value is 60 minutes.
The NextUpdate field in the CRLs retrieved, which may be absent from CRLs. You control whether
the adaptive security appliance requires and uses the NextUpdate field with the enforcenextupdate
command.
If the NextUpdate field is not required, the adaptive security appliance marks CRLs as stale after the
length of time defined by the cache-time command.
If the NextUpdate field is required, the adaptive security appliance marks CRLs as stale at the sooner
of the two times specified by the cache-time command and the NextUpdate field. For example, if
the cache-time command is set to 100 minutes and the NextUpdate field specifies that the next
update is 70 minutes away, the adaptive security appliance marks CRLs as stale in 70 minutes.
The OCSP URL defined in a match certificate override rule by using the match certificate
command).
The OCSP URL configured by using the ocsp url command.
The AIA field of the client certificate.
Information About Digital Certificates
Cisco ASA 5500 Series Configuration Guide using ASDM
35-5