Cisco Cisco ACE Application Control Engine Module
14
Release Note for the Cisco Application Control Engine Module
OL-22471-01
New Software Features in Version A2(2.0)
Using CRLs for Server Authentication
By default, the ACE does not use certificate revocation lists (CRLs) during server authentication. You
can configure the SSL proxy service to use a CRL in one of the following ways:
can configure the SSL proxy service to use a CRL in one of the following ways:
•
The ACE can scan each server certificate for the service to determine if it contains a CDP pointing
to a CRL in the certificate extension and then retrieve the CRL from that location if the CDP is valid.
to a CRL in the certificate extension and then retrieve the CRL from that location if the CDP is valid.
•
You can manually configure the CRL to download to the ACE (see the
section).
Note
By default, the ACE does not reject server certificates when the CRL in use has passed its update date.
To configure the ACE to reject certificates when the CRL is expired, use the expired-crl reject
command. For more information, see the
To configure the ACE to reject certificates when the CRL is expired, use the expired-crl reject
command. For more information, see the
section.
You can determine which CRL information to use for server authentication by using the crl command in
SSL proxy configuration mode. The syntax of this command is as follows:
SSL proxy configuration mode. The syntax of this command is as follows:
crl crl_name | best-effort
The argument and keyword are as follows:
•
crl_name—Name that you assigned to the CRL when you downloaded it with the configuration
mode crypto crl command. See the
mode crypto crl command. See the
section.
•
best-effort—Specifies that the ACE scans each server certificate to determine if it contains a CDP
pointing to a CRL in the certificate extension and then retrieves the CRLs from that location, if the
CDP is valid.
pointing to a CRL in the certificate extension and then retrieves the CRLs from that location, if the
CDP is valid.
For example, to enable the CRL1 CRL for server authentication on an SSL proxy service, enter the
following command:
following command:
host1/Admin(config-ssl-proxy)# crl CRL1
When the ACE accepts a server certificate in the downloaded CRL database, a successful SSL
connection to an SSL real server increments the following show stats crypto client counters:
connection to an SSL real server increments the following show stats crypto client counters:
•
Total SSL server authentications
•
SSL static CRL lookups
To scan the server certificate for CRL information, enter the following command:
host1/Admin(config-ssl-proxy)# crl best-effort
When the ACE accepts a server certificate on a best-effort-CRL-enabled connection and the certificate
is not found in the downloaded CRL database, a successful SSL connection to an SSL real server
increments the following show stats crypto client counters:
is not found in the downloaded CRL database, a successful SSL connection to an SSL real server
increments the following show stats crypto client counters:
•
Total SSL server authentications
•
SSL best effort CRL lookups
After the certificate is validated and cached in the ACE, subsequent SSL connections without session
reuse to the same SSL server increments the following show stats crypto client counters:
reuse to the same SSL server increments the following show stats crypto client counters:
•
Total SSL server authentications
•
SSL best effort CRL lookups