Cisco Cisco FirePOWER Appliance 8250
51-6
FireSIGHT System User Guide
Chapter 51 Configuring Appliance Settings
Using Custom HTTPS Certificates
Step 6
Open any intermediate certificates you need to provide, copy the entire block of text, for each, and paste
it into the
it into the
Certificate Chain
field.
Step 7
Click
Save
to upload the certificate.
The certificate uploads and the HTTPS Certificate page updates to reflect the new certificate.
Configuring User Certificates
License:
Any
You can restrict access to the FireSIGHT System web server using client browser certificate checking.
When you enable user certificates, the web server checks that a user’s browser client has a valid user
certificate selected. That user certificate must be generated by the same trusted certificate authority used
for the server certificate. If the user selects a certificate in the browser that is not valid or not generated
by a certificate authority in the certificate chain on the device, the browser cannot load the web interface.
When you enable user certificates, the web server checks that a user’s browser client has a valid user
certificate selected. That user certificate must be generated by the same trusted certificate authority used
for the server certificate. If the user selects a certificate in the browser that is not valid or not generated
by a certificate authority in the certificate chain on the device, the browser cannot load the web interface.
You can also load a certificate revocation list (CRL) for the server. The CRL lists any certificates that
have been revoked by the certificate authority, so the web server can verify that the client browser
certificate has not been revoked. If the user selects a certificate that is listed in the CRL as a revoked
certificate, the browser cannot load the web interface. The appliance supports upload of CRLs in
Distinguished Encoding Rules (DER) format. You can only load one CRL for a server.
have been revoked by the certificate authority, so the web server can verify that the client browser
certificate has not been revoked. If the user selects a certificate that is listed in the CRL as a revoked
certificate, the browser cannot load the web interface. The appliance supports upload of CRLs in
Distinguished Encoding Rules (DER) format. You can only load one CRL for a server.
To ensure that the list of revoked certificates stays current, you can create a scheduled task to update the
CRL. The most recent refresh of the CRL is listed in the interface.
CRL. The most recent refresh of the CRL is listed in the interface.
Make sure you use the same certificate authority used for the server certificate and that you have
uploaded the intermediate certificate for the certificates. For more information, see
uploaded the intermediate certificate for the certificates. For more information, see
To require valid user certificates:
Access:
Admin
Step 1
Select
System > Local > Configuration
.
The Information page appears.
Step 2
Click
HTTPS Certificate
.
The HTTPS Certificate page appears.
Step 3
Select
Enable User Certificates
.
The Enable Fetching of CRL option appears.
Step 4
Optionally, select
Enable Fetching of CRL
.
The remaining CRL configuration options appear.
Step 5
Type a valid URL to an existing CRL file and click
Refresh CRL
.
The current CRL at the supplied URL loads to the server.
Note
Enabling fetching of the CRL creates a scheduled task to update the CRL on a regular basis. Edit the task
to set the frequency of the update. For more information, see
to set the frequency of the update. For more information, see