Configure Static Crl For A Trustpoint - Cisco Firepower 4110 Preparative Procedures & Operational User Manual

Firepower 4100 series; firepower 9000 series
Hide thumbs Also See for Firepower 4110:
Table of Contents

Advertisement

Cisco Preparative Procedures & Operational User Guide
4.4.10

Configure Static CRL for a Trustpoint

Revoked certificates are maintained in the Certificate Revocation List (CRL). Use the following
procedure to configure your FXOS chassis to validate peer certificates using CRL information.
1) From the FXOS CLI, enter the security mode:
scope system
scope security
2) Enter the trustpoint mode:
scope trustpoint trustname
3) Enter the revoke mode:
scope revoke
4) Download the CRL file(s):
import crl protocol://user_id@CA_or_CRL_issuer_IP/tmp/DoDCA1CRL1.crl
5) (Optional) Show status for import process of CRL information:
show import-task detail
6) Set the certificate revocation method to CRL-only:
set certrevokemethod {crl}
You can configure your Certificate Revocation List (CRL) check mode to be either strict or relaxed in
IPSec and secure LDAP connections.
Dynamic (non-static) CRL information is harvested from the CDP information of an X.509 certificate,
and indicates dynamic CRL information. Static CRL information is downloaded by system administration
manually, and indicates local CRL information in the FXOS system. The dynamic CRL information is
only processed against the current processing certificate in the certificate chain. The static CRL is applied
to the whole peer certificate chain.
For steps to enable or disable certificate revocation checks for your secure LDAP and IPSec connections,
see
Configure IPSec Secure Channel
The following tables describe the LDAP and IPSec connection results, depending on your certificate
revocation list check setting and certificate validation.
Table 3 Certificate Revocation Check Mode set to Strict without a local static CRL
Without local static CRL
Checking peer's certificate chain
Checking CDP in peer's
certificate chain
CDP checking for Root CA
certificate of the peer's certificate
chain
Any certificate validation failure
© 2016 Cisco Systems, Inc. All rights reserved.
and
Creating an LDAP
LDAP Connection
Full certificate chain is required
Full certificate chain is required
Yes
Connection fails with syslog
Provider.
IPSec Connection
Full certificate chain is required
Full certificate chain is required
Not applicable
Connection fails with syslog

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Firepower 4140Firepower 4120Firepower 9300

Table of Contents