Crl Management - Cisco TelePresence Video Communication Server Administrator's Manual

Note: certificate and CRL files can only be managed via the web interface. They cannot be installed
using the CLI.
Trusted CA certificate
The Trusted CA certificate section manages the list of certificates for the Certificate Authorities
(CAs) trusted by this VCS. Certificates presented to the VCS must be signed by a trusted CA on this
list and there must be a full chain of trust to the root CA.
To upload a new file of CA certificates, Browse to the required PEM file and click Upload CA
certificate. This will replace any previously uploaded CA certificates.
Note: if you have enabled certificate revocation list (CRL) checking for TLS encrypted
an LDAP server (for account authentication), you must add the PEM encoded CRL data to your
trusted CA certificate file.
Click Reset to default CA certificate to replace the currently uploaded file with a default list of
n
trusted CA certificates.
Click Show CA certificate to view the currently uploaded file.
n
Server certificate data
The Server certificate data section is used to upload the VCS's server certificate. This certificate is
used to identify the VCS when it communicates with client systems using TLS encryption, and with
web browsers over HTTPS.
Use the Browse buttons to select the server certificate PEM file and the server private key PEM
n
file that is used to encrypt it. After selecting both files, click Upload server certificate data. Note
that the private key must not be password protected.
Click Reset to default server certificate to replace the currently uploaded server certificate with
n
the VCS's factory default certificate.
Click Show server certificate to view the currently uploaded server certificate file in PEM format.
n
Note that the VCS stores only one server certificate file. If you have multiple certificates you must first
concatenate them into a single file before uploading them to the VCS.

CRL management

The CRL management page
used to configure whether the VCS uses certificate revocation lists (CRLs) when validating security
certificates, and if so, from where it obtains the CRLs.
You are recommended to upload CRL data for the CAs that sign HTTPS client and server certificates.
A CRL identifies those certificates that have been revoked and can no longer be used to communicate
with the VCS. When enabled, CRL checking is applied for every CA in the chain of trust.
Note: the VCS can use a combination of manually and automatically uploaded files to perform its CRL
checking. The following sections explain which files are used in which circumstances.
Manual CRL updates
CRL files can be manually uploaded to the VCS. Manually uploaded CRL files are used for certificate
validation in the following areas:
when client browsers communicate with the VCS over HTTPS — unless automatic updates have
n
been enabled, in which case the automatically uploaded CRL files are used instead
by the VCS when communicating with external policy services
n
by the Client certificate testing
n
To upload a CRL file:
Cisco VCS Administrator Guide (X6.1)
(Maintenance > Certificate management > CRL
page
Maintenance
connections to
management) is
Page 198 of 401