Configuring Virtual SSL Servers for an SSL Proxy List
•
•
The following example shows how to configure a CRL record named mycrl. The
URL location of the CRL is crl.verisign.com. The CA certificate name on the CSS
that authenticates the CRL is verisign_cacert. The CSS updates the CRL every
24 hours. Enter:
(config)# ssl crl-record mycrl http://crl.verisign.com/class1.crl
verisign_cacert 24
To remove the CRL record, enter:
(config)# no ssl crl-record mycrl
To view configuration information on a CRL, use the show ssl crl-record
command. For more information on this command, see
SSL Configuration Information and
Cisco Content Services Switch SSL Configuration Guide
4-18
sign_cert - The name of the CA certificate that signed the CRL. The CA
certificate verifies that the CRL is authentic. You must import this certificate
on the CSS before configuring the CRL. For information on importing a CA
certificate, see the
"Importing or Exporting Certificates and Private Keys"
section in
Chapter 3, Configuring SSL Certificates and
on associating a certificate with a filename, see the
with a File"
also in
Chapter 3, Configuring SSL Certificates and
hours - The number of hours to wait before retrieving an updated CRL. Enter
a value from 0 to 2000. A value of 0 disables the retrieval of the CRL, which
means that the CRL is not updated.
The CSS SSL module keeps a list of all configured CRLs. The module only
attempts to retrieve a CRL when:
The SSL proxy list containing CRL records is activated
–
The service or content rule associated with the SSL proxy list is activated
–
The CRL was previously retrieved and the time defined in the CRL
–
record has now passed
Chapter 4
Configuring SSL Termination
"Associating a Certificate
Chapter 7, Displaying
Statistics.
Keys. For information
Keys.
OL-5655-01