Cisco Systems OL-16647-01 Manual De Usuario
33-6
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
Chapter 33 Configuring Certificates
Identity Certificates Authentication
To avoid having to retrieve the same CRL from a CA repeatedly, The security appliance can
store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by
platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL
would exceed its storage limits, the security appliance removes the least recently used CRL until
more space becomes available.
store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by
platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL
would exceed its storage limits, the security appliance removes the least recently used CRL until
more space becomes available.
–
Enforce next CRL update—Require valid CRLs to have a Next Update value that has not
expired. Clearing the box allows valid CRLs with no Next Update value or a Next Update value
that has expired.
expired. Clearing the box allows valid CRLs with no Next Update value or a Next Update value
that has expired.
•
OCSP Options
–
Server URL:—Enter the URL for the OCSP server. The security appliance uses OCSP servers
in the following order:
in the following order:
1. OCSP URL in a match certificate override rule
2. OCSP URL configured in this OCSP Options attribute
3. AIA field of remote user certificate
–
Disable nonce extension—By default the OCSP request includes the nonce extension, which
cryptographically binds requests with responses to avoid replay attacks. It works by matching
the extension in the request to that in the response, ensuring that they are the same. Disable the
nonce extension if the OCSP server you are using sends pre-generated responses that do not
contain this matching nonce extension.
cryptographically binds requests with responses to avoid replay attacks. It works by matching
the extension in the request to that in the response, ensuring that they are the same. Disable the
nonce extension if the OCSP server you are using sends pre-generated responses that do not
contain this matching nonce extension.
•
Validation Policy
–
Specify the type of client connections that can be validated by this CA—Click SSL or IPSec
to restrict the type of remote session this CA can be used to validate, or click SSL and IPSec to
let the CA validate both types of sessions.
to restrict the type of remote session this CA can be used to validate, or click SSL and IPSec to
let the CA validate both types of sessions.
•
Other Options
–
Accept certificates issued by this CA—Specify whether or not the security appliance should
accept certificates from CA Name.
accept certificates from CA Name.
–
Accept certificates issued by the subordinate CAs of this CA
Identity Certificates Authentication
An Identity Certificate can be used to authenticate VPN access through the security appliance. Click the
SSL Settings or the IPsec Connections links on the Identity Certificates panel for additional
configuration information.
SSL Settings or the IPsec Connections links on the Identity Certificates panel for additional
configuration information.
The Identity Certificates Authentication panel allows you to:
•
Add an Identity Certificate. See
•
Display details of an Identity Certificate. See
•
Delete an existing Identity Certificate. See
.
•
Export an existing Identity Certificate. See
•
Install an Identity Certificate. See
•
Enroll for a certificate with Entrust. See Generate