Cisco ISR 4000 series Configuration Manual page 38

Cisco ISR 4000 Family Routers Administrator Guidance
Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the
revocation check) that is to be used to ensure that the certificate of a peer has not been revoked. For
multiple methods, the order in which the methods are applied is determined by the order specified
via this command.
If the TOE does not have the applicable CRL and is unable to obtain one, or if the OCSP server
returns an error, the TOE will reject the peer's certificate--unless an administrator includes the
'none' keyword in your configuration. If the 'none' keyword is configured, a revocation check will
not be performed and the certificate will always be accepted.
When using OCSP, nonces, unique identifiers for OCSP requests, are sent by default during peer
communications with an OCSP server. The use of nonces offers a more secure and reliable
communication channel between the peer and OCSP server. If the OCSP server does not support
nonces, an authorized administrator may disable the sending of nonces.
4.6.4.6 Manually Overriding the OCSP Server Setting in a Certificate
Administrators can override the OCSP server setting specified in the Authority Information Access
(AIA) field of the client certificate or set by the issuing the ocsp url command. One or more OCSP
servers may be manually specified, either per client certificate or per group of client certificates
by the match certificate override ocsp command. The match certificate override ocsp command
overrides the client certificate AIA field or the ocsp urlcommand setting if a client certificate is
successfully matched to a certificate map during the revocation check
4.6.4.7 Configuring Certificate Chain Validation
Perform this task to configure the processing level for the certificate chain path of peer certificates.
Prerequisites:
 The device must be enrolled in your PKI hierarchy.
 The appropriate key pair must be associated with the certificate.
1. Enter configure terminal mode:
2. TOE-common-criteria# configure terminal
3. Set the crypto pki trustpoint name:
4. TOE-common-criteria(config)# crypto pki trustpoint ca-sub1
5. Configure the level to which a certificate chain is processed on all certificates including
subordinate CA certificates using the chain-validation [{stop | continue} [parent-
trustpoint]] command:
6. TOE-common-criteria(ca-trustpoint)# chain-validation continue ca-sub1
 Use the stop keyword to specify that the certificate is already trusted. This is the
default setting.
 Use the continue keyword to specify that the subordinate CA certificate associated
with the trustpoint must be validated.
 The parent-trustpoint argument specifies the name of the parent trustpoint the
certificate must be validated against.
Note: A trustpoint associated with the root CA cannot be configured to be validated to the
next level. The chain-validation command is configured with the continue keyword for the
Page 38 of 66