Cisco Cisco Expressway
o
http://example.com/crl.pem
o
http://example.com/crl.der
o
http://example.com/ca.crl
o
https://example.com/allcrls.zip
o
https://example.com/allcrls.gz
4. Enter the Daily update time (in UTC). This is the approximate time of day when the Expressway will
attempt to update its CRLs from the distribution points.
5. Click Save.
Manual CRL updates
CRL files can also be uploaded manually to the Expressway. Certificates presented by external policy
servers can only be validated against manually loaded CRLs.
servers can only be validated against manually loaded CRLs.
To upload a CRL file:
1. Go to
Maintenance > Security certificates > CRL management
.
2. Click Browse and select the required file from your file system. It must be in PEM encoded format.
3. Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
Click Remove revocation list if you want to remove the manually uploaded file from the Expressway.
Note that if a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Configuring revocation checking for SIP TLS connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
1. Go to
Configuration > SIP
.
2. Scroll down to the
Certificate revocation checking
section and configure the settings accordingly:
Field
Description
Usage tips
Certificate
revocation
checking
mode
revocation
checking
mode
Controls whether revocation checking is performed for
certificates exchanged during SIP TLS connection
establishment.
certificates exchanged during SIP TLS connection
establishment.
We recommend that revocation
checking is enabled.
checking is enabled.
Use OCSP
Controls whether the Online Certificate Status Protocol
(OCSP) may be used to perform certificate revocation
checking.
(OCSP) may be used to perform certificate revocation
checking.
To use OCSP, the X.509 certificate
to be checked must contain an
OCSP responder URI.
to be checked must contain an
OCSP responder URI.
Use CRLs
Controls whether Certificate Revocation Lists (CRLs)
are used to perform certificate revocation checking.
are used to perform certificate revocation checking.
CRLs can be used if the certificate
does not support OCSP.
does not support OCSP.
Allow CRL
downloads
from CDPs
downloads
from CDPs
Controls whether the download of CRLs from the CDP
URIs contained in X.509 certificates is allowed.
URIs contained in X.509 certificates is allowed.
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.2)
Page 15 of 29
Managing certificate revocation lists (CRLs)