Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Maintenance
Cisco VCS Administrator Guide (X7.0)
Page 272 of 488
To upload a CRL file:
1. Click Browse and select the required file from your file system. The CRL file must be in PEM encoded
format.
2. Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
You can click Remove revocation list if you want to remove the manually uploaded file from the VCS.
Note that if a certificate authority's CRL expires, all certificates issued by that CA will be treated as
revoked.
revoked.
Automatic CRL updates
You can also configure the VCS to perform automatic CRL updates. This ensures the latest CRLs are
available for certificate validation. Automatically uploaded CRL files are used for certificate validation in
the following areas:
available for certificate validation. Automatically uploaded CRL files are used for certificate validation in
the following areas:
n
when client browsers communicate with the VCS over HTTPS; automatically loaded CRLs override
any manually loaded CRL files
any manually loaded CRL files
To configure automatic CRL updates:
1. Set Automatic CRL updates to Enabled.
2. Enter the set of HTTP distribution points from where the VCS can obtain CRL files. Note that:
l
you must specify each distribution point on a new line
l
only HTTP distribution points are supported
l
PEM and DER encoded CRL files are supported
l
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing CRL files
l
this feature is not supported over IPv6
3. Enter the Daily update time (in UTC). This is the approximate time of day when the VCS will attempt
to update its CRLs from the distribution points.
4. Click Save.
Note that CRL data uploaded here is not used to validate TLS connections with an LDAP server for
remote login account authentication. CRL data for this purpose must be contained within the Trusted
CA certificate file.
remote login account authentication. CRL data for this purpose must be contained within the Trusted
CA certificate file.
Certificate-based authentication configuration
The
Certificate-based authentication configuration
page (
Maintenance > Certificate management
> Certificate-based authentication configuration
) is used to configure how the VCS retrieves
authorization credentials (the username) from a client browser's certificate.
This configuration is required if Client certificate-based security (as defined on the
page) has
been set to Certificate-based authentication. This setting means that the standard login mechanism is no
longer available and that administrators (and FindMe user accounts) can log in only if they present a valid
browser certificate — typically provided via a smart card (also referred to as a Common Access Card or
CAC) — and the certificate contains appropriate credentials that have a suitable authorization level.
longer available and that administrators (and FindMe user accounts) can log in only if they present a valid
browser certificate — typically provided via a smart card (also referred to as a Common Access Card or
CAC) — and the certificate contains appropriate credentials that have a suitable authorization level.