Cisco Cisco Expressway Maintenance Manual
Outbound communication from the Expressway-E is required for the connection to the OCSP responder. Check the
port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that outbound
communication is allowed to that port from the Expressway-E.
port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that outbound
communication is allowed to that port from the Expressway-E.
Configuring Revocation Checking for SIP TLS Connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
1.
Go to Configuration > SIP.
2.
Scroll down to the Certificate revocation checking section and configure the settings accordingly:
Field
Description
Usage tips
Certificate
revocation
checking
mode
revocation
checking
mode
Controls whether revocation checking is performed for
certificates exchanged during SIP TLS connection
establishment.
certificates exchanged during SIP TLS connection
establishment.
We recommend that revocation
checking is enabled.
checking is enabled.
Use OCSP
Controls whether the Online Certificate Status Protocol
(OCSP) may be used to perform certificate revocation
checking.
(OCSP) may be used to perform certificate revocation
checking.
To use OCSP, the X.509
certificate to be checked must
contain an OCSP responder URI.
certificate to be checked must
contain an OCSP responder URI.
Use CRLs
Controls whether Certificate Revocation Lists (CRLs)
are used to perform certificate revocation checking.
are used to perform certificate revocation checking.
CRLs can be used if the
certificate does not support
OCSP.
certificate does not support
OCSP.
CRLs can be loaded manually
onto the Expressway, downloaded
automatically from preconfigured
URIs (see
onto the Expressway, downloaded
automatically from preconfigured
URIs (see
), or downloaded
automatically from a CRL
distribution point (CDP) URI
contained in the X.509 certificate.
distribution point (CDP) URI
contained in the X.509 certificate.
Allow CRL
downloads
from CDPs
downloads
from CDPs
Controls whether the download of CRLs from the CDP
URIs contained in X.509 certificates is allowed.
URIs contained in X.509 certificates is allowed.
Fallback
behavior
behavior
Controls the revocation checking behavior if the
revocation status cannot be established, for example if
the revocation source cannot be contacted.
revocation status cannot be established, for example if
the revocation source cannot be contacted.
Treat as revoked: treat the certificate as revoked (and
thus do not allow the TLS connection).
thus do not allow the TLS connection).
Treat as not revoked: treat the certificate as not
revoked.
revoked.
Default: Treat as not revoked
Treat as not revoked ensures that
your system continues to operate
in a normal manner if the
revocation source cannot be
contacted, however it does
potentially mean that revoked
certificates will be accepted.
your system continues to operate
in a normal manner if the
revocation source cannot be
contacted, however it does
potentially mean that revoked
certificates will be accepted.
Configuring Certificate-Based Authentication
The Certificate-based authentication configuration page (Maintenance > Security certificates > Certificate-based
authentication configuration) is used to configure how the Expressway retrieves authorization credentials (the
username) from a client browser's certificate.
authentication configuration) is used to configure how the Expressway retrieves authorization credentials (the
username) from a client browser's certificate.
page) has been set to
Certificate-based authentication. This setting means that the standard login mechanism is no longer available and
that administrators can log in only if they present a valid browser certificate — typically provided via a smart card (also
that administrators can log in only if they present a valid browser certificate — typically provided via a smart card (also
195
Cisco Expressway Administrator Guide