Cisco Cisco TelePresence Video Communication Server Expressway

Manual CRL Updates

You can upload CRL files manually to the VCS. Certificates presented by external policy servers can only be validated
against manually loaded CRLs.

To upload a CRL file:

Go to Maintenance > Security certificates > CRL management.

Click Browse and select the required file from your file system. It must be in PEM encoded format.

Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.

Click Remove revocation list if you want to remove the manually uploaded file from the VCS.

If a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.

Online Certificate Status Protocol (OCSP)

The VCS can establish a connection with an OCSP responder to query the status of a particular certificate.The VCS
determines the OCSP responder to use from the responder URI listed in the certificate being verified. The OCSP
responder sends a status of 'good', 'revoked' or 'unknown' for the certificate.

The benefit of OCSP is that there is no need to download an entire revocation list. OCSP is supported for SIP TLS
connections only. See below for information on how to enable OCSP.

Outbound communication from the VCS Expressway is required for the connection to the OCSP responder. Check the
port number of the OCSP responder you are using (typically this is port 80 or 443) and ensure that outbound
communication is allowed to that port from the VCS Expressway.

Configuring Revocation Checking for SIP TLS Connections

You must also configure how certificate revocation checking is managed for SIP TLS connections.

Cisco VCS Certificate Creation and Use Deployment Guide