Cisco Cisco TelePresence Video Communication Server Expressway
Managing certificate revocation lists (CRLs)
Certificate revocation list (CRL) files are used by the VCS to validate certificates presented by client
browsers and external systems that communicate with the VCS over TLS/HTTPS. A CRL identifies those
certificates that have been revoked and can no longer be used to communicate with the VCS.
browsers and external systems that communicate with the VCS over TLS/HTTPS. A CRL identifies those
certificates that have been revoked and can no longer be used to communicate with the VCS.
We recommend that you upload CRL data for the CAs that sign TLS/HTTPS client and server certificates.
When enabled, CRL checking is applied for every CA in the chain of trust.
When enabled, CRL checking is applied for every CA in the chain of trust.
CRL sources
The VCS can obtain CRL information from multiple sources:
n
automatic downloads of CRL data from CRL distribution points
n
through OCSP (Online Certificate Status Protocol) responder URIs in the certificate to be checked (SIP
TLS only)
TLS only)
n
manual upload of CRL data
n
CRL data embedded within the VCS's
Trusted CA certificate
file
The following limitations and usage guidelines apply:
n
when establishing SIP TLS connections, the CRL data sources are subject to the
Certificate revocation
checking
settings on the
SIP
configuration page
n
automatically uploaded CRL files override any manually loaded CRL files (except for when verifying
SIP TLS connections, when both manually uploaded or automatically downloaded CRL data may be used)
SIP TLS connections, when both manually uploaded or automatically downloaded CRL data may be used)
n
when validating certificates presented by external policy servers, the VCS uses manually loaded CRLs
only
only
n
when validating TLS connections with an LDAP server for remote login account authentication, the VCS
uses CRL data within the
uses CRL data within the
Trusted CA certificate
only
Automatic CRL updates
We recommend that the VCS is configured to perform automatic CRL updates. This ensures that the latest
CRLs are available for certificate validation.
CRLs are available for certificate validation.
To configure the VCS to use automatic CRL updates:
1. Go to
Maintenance > Security certificates > CRL management
.
2. Set Automatic CRL updates to Enabled.
3. Enter the set of HTTP(S) distribution points from where the VCS can obtain CRL files. Note that:
l
you must specify each distribution point on a new line
l
only HTTP(S) distribution points are supported; if HTTPS is used, the distribution point server itself
must have a valid certificate
must have a valid certificate
l
PEM and DER encoded CRL files are supported
l
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing CRL files
4. Enter the Daily update time (in UTC). This is the approximate time of day when the VCS will attempt to
update its CRLs from the distribution points.
5. Click Save.
Cisco VCS Certificate Creation and Use
Page 11 of 25
Managing certificate revocation lists (CRLs)