Configuring Crls For A Trustpoint - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 39 Configuring Certificates

Configuring CRLs for a Trustpoint

If you want to use mandatory or optional CRL checking during certificate authentication, you must
perform CRL configuration for each trustpoint. For more information about CRLs, see the
CRLs" section on page
To configure CRLs for a trustpoint, perform the following steps:
Enter Crypto ca trustpoint configuration mode for the trustpoint whose CRL configuration you want to
Step 1
modify. To do so, enter the crypto ca trustpoint command.
If you have not already enabled CRLs, you can do so now by using the crl command with either the
Step 2
required or optional keyword. If you specify the required keyword, certificate authentication with this
trustpoint cannot succeed if the CRL is unavailable.
Enter the crl configure command.
Step 3
hostname/contexta(config-ca-trustpoint)# crl configure
hostname/contexta(config-ca-crl)#
Upon entering this command, you enter the crl configuration mode for the current trustpoint.
Tip
Step 4 Configure the retrieval policy with the policy command. The following keywords for this command
determine the policy.
•
•
•
If you used the keywords static or both when you configured the CRL policy, you need to configure
Step 5
URLs for CRL retrieval, using the url command. You can enter up to 5 URLs, ranked 1 through 5.
hostname/contexta(config-ca-crl)# url n URL
where
Configure the retrieval method with the protocol command. The following keywords for this command
Step 6
determine the retrieval method.
•
•
•
Configure how long the security appliance caches CRLs for the current trustpoint. To specify the number
Step 7
of minutes the security appliance waits before considering a CRL stale, enter the following command.
hostname/contexta(config-ca-crl)# cache-time n
OL-10088-01
39-3.
To set all CRL configuration options to their default values, use the default command. At any
time while performing CRL configuration, if you want to start over, enter this command and
restart this procedure.
cdp—CRLs are retrieved only from the CRL distribution points specified in authenticated
certificates.
Note SCEP retrieval is not supported by distribution points specified in certificates.
static—CRLs are retrieved only from URLs you configure.
both—CRLs are retrieved from CRL distribution points specified in authenticated certificates and
from URLs you configure.
is the rank assigned to the URL. To remove a URL, use the no url n command.
n
http—Specifies HTTP as the CRL retrieval method.
ldap—Specifies LDAP as the CRL retrieval method.
scep—Specifies SCEP as the CRL retrieval method.
Cisco Security Appliance Command Line Configuration Guide
Certificate Configuration
"About
39-13