Cisco Cisco Expressway
3.
Enter the set of HTTP(S) distribution points from where the Expressway can obtain CRL files.
Note:
—
you must specify each distribution point on a new line
—
only HTTP(S) distribution points are supported; if HTTPS is used, the distribution point server itself must
have a valid certificate
have a valid certificate
—
PEM and DER encoded CRL files are supported
—
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing multiple CRL
files
files
—
the file extensions in the URL or on any files unpacked from a downloaded archive do not matter as the
Expressway will determine the underlying file type for itself; however, typical URLs could be in the format:
Expressway will determine the underlying file type for itself; however, typical URLs could be in the format:
•
http://example.com/crl.pem
•
http://example.com/crl.der
•
http://example.com/ca.crl
•
https://example.com/allcrls.zip
•
https://example.com/allcrls.gz
4.
Enter the Daily update time (in UTC). This is the approximate time of day when the Expressway will attempt to
update its CRLs from the distribution points.
update its CRLs from the distribution points.
5.
Click Save.
Manual CRL Updates
You can upload CRL files manually to the Expressway. Certificates presented by external policy servers can only be
validated against manually loaded CRLs.
validated against manually loaded CRLs.
To upload a CRL file:
1.
Go to Maintenance > Security certificates > CRL management.
2.
Click Browse and select the required file from your file system. It must be in PEM encoded format.
3.
Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
Click Remove revocation list if you want to remove the manually uploaded file from the Expressway.
If a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Online Certificate Status Protocol (OCSP)
The Expressway can establish a connection with an OCSP responder to query the status of a particular
certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the certificate
being verified. The OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the certificate.
certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the certificate
being verified. The OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the certificate.
The benefit of OCSP is that there is no need to download an entire revocation list. OCSP is supported for SIP TLS
connections only. See below for information on how to enable OCSP.
connections only. See below for information on how to enable OCSP.
Outbound communication from the Expressway-E is required for the connection to the OCSP responder. Check the
port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that outbound
communication is allowed to that port from the Expressway-E.
port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that outbound
communication is allowed to that port from the Expressway-E.
Configuring Revocation Checking for SIP TLS Connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
16
Cisco Expressway Certificate Creation and Use Deployment Guide
Managing Certificate Revocation Lists (CRLs)