Cisco Cisco Expressway Manuel De Maintenance
n
when establishing SIP TLS connections, the CRL data sources are subject to the
Certificate revocation
checking
settings on the
SIP
configuration page
n
automatically uploaded CRL files override any manually loaded CRL files (except for when verifying
SIP TLS connections, when both manually uploaded or automatically downloaded CRL data may be used)
SIP TLS connections, when both manually uploaded or automatically downloaded CRL data may be used)
n
when validating certificates presented by external policy servers, the Expressway uses manually loaded
CRLs only
CRLs only
n
when validating TLS connections with an LDAP server for remote login account authentication, the
Expressway uses CRL data within the
Expressway uses CRL data within the
Trusted CA certificate
only
Automatic CRL updates
We recommend that the Expressway is configured to perform automatic CRL updates. This ensures that the
latest CRLs are available for certificate validation.
latest CRLs are available for certificate validation.
To configure the Expressway to use automatic CRL updates:
1. Go to
Maintenance > Security certificates > CRL management
.
2. Set Automatic CRL updates to Enabled.
3. Enter the set of HTTP(S) distribution points from where the Expressway can obtain CRL files. Note
that:
l
you must specify each distribution point on a new line
l
only HTTP(S) distribution points are supported; if HTTPS is used, the distribution point server itself
must have a valid certificate
must have a valid certificate
l
PEM and DER encoded CRL files are supported
l
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing CRL files
4. Enter the Daily update time (in UTC). This is the approximate time of day when the Expressway will
attempt to update its CRLs from the distribution points.
5. Click Save.
Manual CRL updates
CRL files can also be uploaded manually to the Expressway. Certificates presented by external policy
servers can only be validated against manually loaded CRLs.
servers can only be validated against manually loaded CRLs.
To upload a CRL file:
1. Go to
Maintenance > Security certificates > CRL management
.
2. Click Browse and select the required file from your file system. It must be in PEM encoded format.
3. Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
Click Remove revocation list if you want to remove the manually uploaded file from the Expressway.
Note that if a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Configuring revocation checking for SIP TLS connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
1. Go to
Configuration > SIP
.
2. Scroll down to the
Certificate revocation checking
section and configure the settings accordingly:
Cisco Expressway Administrator Guide (X8.1)
Page 182 of 344
Maintenance
About security certificates