Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Maintenance
Cisco VCS Administrator Guide (X7.1)
Page 267 of 479
2. Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
You can click Remove revocation list if you want to remove the manually uploaded file from the VCS.
Note that if a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Automatic CRL updates
Alternatively, you can configure the VCS to perform automatic CRL updates. This ensures the latest CRLs
are available for certificate validation.
are available for certificate validation.
Automatically uploaded CRL files override any manually loaded CRL files. (Note: the VCS uses manually
loaded CRLs only when validating certificates presented by external policy servers.)
loaded CRLs only when validating certificates presented by external policy servers.)
To configure the VCS to use automatic CRL updates:
1. Set Automatic CRL updates to Enabled.
2. Enter the set of HTTP distribution points from where the VCS can obtain CRL files. Note that:
l
you must specify each distribution point on a new line
l
only HTTP distribution points are supported
l
PEM and DER encoded CRL files are supported
l
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing CRL files
l
this feature is not supported over IPv6
3. Enter the Daily update time (in UTC). This is the approximate time of day when the VCS will attempt to
update its CRLs from the distribution points.
4. Click Save.
Certificate-based authentication configuration
The
Certificate-based authentication configuration
page (
Maintenance > Certificate management >
Certificate-based authentication configuration
) is used to configure how the VCS retrieves authorization
credentials (the username) from a client browser's certificate.
This configuration is required if Client certificate-based security (as defined on the
page) has been
set to Certificate-based authentication. This setting means that the standard login mechanism is no longer
available and that administrators (and FindMe user accounts, if accessed via the VCS) can log in only if they
present a valid browser certificate — typically provided via a smart card (also referred to as a Common
Access Card or CAC) — and the certificate contains appropriate credentials that have a suitable
authorization level.
available and that administrators (and FindMe user accounts, if accessed via the VCS) can log in only if they
present a valid browser certificate — typically provided via a smart card (also referred to as a Common
Access Card or CAC) — and the certificate contains appropriate credentials that have a suitable
authorization level.
Enabling certificate-based authentication
The recommended procedure for enabling certificate-based authentication is described below:
1. Add the VCS's trusted CA and server certificate files (on the
Security certificates
page).
2. Configure certificate revocation lists (on the
CRL management
page).
3. Use the
Client certificate testing
page to verify that the client certificate you intend to use is valid.
4. Set Client certificate-based security to Certificate validation (on the
System administration
page).