Cisco Cisco Expressway Manuel De Maintenance
To upload a CRL file:
1. Go to
Maintenance > Security certificates > CRL management
.
2. Click Browse and select the required file from your file system. It must be in PEM encoded format.
3. Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
Click Remove revocation list if you want to remove the manually uploaded file from the Expressway.
If a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Online Certificate Status Protocol (OCSP)
The Expressway can establish a connection with an OCSP responder to query the status of a particular
certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the
certificate being verified. The OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the
certificate.
certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the
certificate being verified. The OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the
certificate.
The benefit of OCSP is that there is no need to download an entire revocation list. OCSP is supported for
SIP TLS connections only. See below for information on how to enable OCSP.
SIP TLS connections only. See below for information on how to enable OCSP.
Outbound communication from the Expressway-E is required for the connection to the OCSP responder.
Check the port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that
outbound communication is allowed to that port from the Expressway-E.
Check the port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that
outbound communication is allowed to that port from the Expressway-E.
Configuring revocation checking for SIP TLS connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
1. Go to
Configuration > SIP
.
2. Scroll down to the
Certificate revocation checking
section and configure the settings accordingly:
Field
Description
Usage tips
Certificate
revocation
checking
mode
revocation
checking
mode
Controls whether revocation checking is performed for
certificates exchanged during SIP TLS connection
establishment.
certificates exchanged during SIP TLS connection
establishment.
We recommend that revocation
checking is enabled.
checking is enabled.
Use OCSP
Controls whether the Online Certificate Status Protocol
(OCSP) may be used to perform certificate revocation
checking.
(OCSP) may be used to perform certificate revocation
checking.
To use OCSP, the X.509 certificate
to be checked must contain an
OCSP responder URI.
to be checked must contain an
OCSP responder URI.
Use CRLs
Controls whether Certificate Revocation Lists (CRLs)
are used to perform certificate revocation checking.
are used to perform certificate revocation checking.
CRLs can be used if the certificate
does not support OCSP.
does not support OCSP.
CRLs can be loaded manually
onto the Expressway,
downloaded automatically from
preconfigured URIs (see
onto the Expressway,
downloaded automatically from
preconfigured URIs (see
), or
downloaded automatically from a
CRL distribution point (CDP) URI
contained in the X.509 certificate.
CRL distribution point (CDP) URI
contained in the X.509 certificate.
Cisco Expressway Administrator Guide (X8.5.2)
Page 229 of 403
Maintenance
About security certificates