Cisco Cisco Expressway

Manual CRL Updates

You can upload CRL files manually to the Expressway. Certificates presented by external policy servers can only be
validated against manually loaded CRLs.

To upload a CRL file:

Go to Maintenance > Security certificates > CRL management.

Click Browse and select the required file from your file system. It must be in PEM encoded format.

Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.

Click Remove revocation list if you want to remove the manually uploaded file from the Expressway.

If a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.

Online Certificate Status Protocol (OCSP)

The Expressway can establish a connection with an OCSP responder to query the status of a particular certificate.The
Expressway determines the OCSP responder to use from the responder URI listed in the certificate being verified. The
OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the certificate.

The benefit of OCSP is that there is no need to download an entire revocation list. OCSP is supported for SIP TLS
connections only. See below for information on how to enable OCSP.

Outbound communication from the Expressway-E is required for the connection to the OCSP responder. Check the port
number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that outbound communication
is allowed to that port from the Expressway-E.

Configuring Revocation Checking for SIP TLS Connections

You must also configure how certificate revocation checking is managed for SIP TLS connections.

Cisco Expressway Certificate Creation and Use Deployment Guide