Cisco Cisco Web Security Appliance S670 Guía Para Resolver Problemas
If the WSA did not strip the CRL information, then a client that wanted to validate the CRL would find that
the certificate and the CRL are signed by different certificate authorities, and either ignore the CRL or flag
an error. Furthermore, under some circumstances, the WSA will change the serial number in the generated
certificate to be different than the serial number in the original certificate. This means that, even if a client
ignored the difference in CA between the CRL and the WSA−generated certificate, the serial number
information would not be valid.
the certificate and the CRL are signed by different certificate authorities, and either ignore the CRL or flag
an error. Furthermore, under some circumstances, the WSA will change the serial number in the generated
certificate to be different than the serial number in the original certificate. This means that, even if a client
ignored the difference in CA between the CRL and the WSA−generated certificate, the serial number
information would not be valid.
The best way to address the issue is for the WSA to validate the CRL itself, on the client's behalf and then
exclude the CRL information from the certificate. WSA is not capable of doing this today.
exclude the CRL information from the certificate. WSA is not capable of doing this today.
On AsyncOS versions 7.7 and above:
Starting with AsyncOS Version 7.7, the WSA supports the Online Certification Status Protocol (OCSP)
which is an alternative to CRL.
which is an alternative to CRL.
When enabled, OCSP provides the ability to obtain the revocation status of an X.509 digital certificate.
Updated: Aug 13, 2014
Document ID: 118283