Cisco Cisco Expressway 维护手册
Automatic CRL Updates
We recommend that you configure the Expressway to perform automatic CRL updates. This ensures that the latest
CRLs are available for certificate validation.
CRLs are available for certificate validation.
To configure the Expressway to use automatic CRL updates:
1.
Go to Maintenance > Security certificates > CRL management.
2.
Set Automatic CRL updates to Enabled.
3.
Enter the set of HTTP(S) distribution points from where the Expressway can obtain CRL files.
Note:
—
you must specify each distribution point on a new line
—
only HTTP(S) distribution points are supported; if HTTPS is used, the distribution point server itself must
have a valid certificate
have a valid certificate
—
PEM and DER encoded CRL files are supported
—
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing multiple CRL
files
files
—
the file extensions in the URL or on any files unpacked from a downloaded archive do not matter as the
Expressway will determine the underlying file type for itself; however, typical URLs could be in the format:
Expressway will determine the underlying file type for itself; however, typical URLs could be in the format:
•
http://example.com/crl.pem
•
http://example.com/crl.der
•
http://example.com/ca.crl
•
https://example.com/allcrls.zip
•
https://example.com/allcrls.gz
4.
Enter the Daily update time (in UTC). This is the approximate time of day when the Expressway will attempt to
update its CRLs from the distribution points.
update its CRLs from the distribution points.
5.
Click Save.
Manual CRL Updates
You can upload CRL files manually to the Expressway. Certificates presented by external policy servers can only be
validated against manually loaded CRLs.
validated against manually loaded CRLs.
To upload a CRL file:
1.
Go to Maintenance > Security certificates > CRL management.
2.
Click Browse and select the required file from your file system. It must be in PEM encoded format.
3.
Click Upload CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
This uploads the selected file and replaces any previously uploaded CRL file.
Click Remove revocation list if you want to remove the manually uploaded file from the Expressway.
If a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked.
Online Certificate Status Protocol (OCSP)
The Expressway can establish a connection with an OCSP responder to query the status of a particular
certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the certificate
being verified. The OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the certificate.
certificate.The Expressway determines the OCSP responder to use from the responder URI listed in the certificate
being verified. The OCSP responder sends a status of 'good', 'revoked' or 'unknown' for the certificate.
The benefit of OCSP is that there is no need to download an entire revocation list. OCSP is supported for SIP TLS
connections only. See below for information on how to enable OCSP.
connections only. See below for information on how to enable OCSP.
194
Cisco Expressway Administrator Guide