Downloading crls – Cisco ASA 5505 User Manual

41-33

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Downloading CRLs

To make the CRL available for HTTP download on a given interface or port, perform the following steps:

Command

Purpose

Step 1

crypto ca server

Example:

hostname (config)# crypto ca server

Enters local ca server configuration mode. Allows
you to configure and manage a local CA.

Step 2

publish-crl

interface interface port portnumber

Example:

hostname (config-ca-server)# publish-crl outside 70

Opens a port on an interface to make the CRL
accessible from that interface.The specified interface
and port are used to listen for incoming requests for
the CRL. The interface and optional port selections
are as follows:

•

inside—Name of interface/GigabitEthernet0/1

•

management—Name of interface/
Management0/0

•

outside—Name of interface/GigabitEthernet0/0

•

Port numbers can range from 1-65535. TCP port
80 is the HTTP default port number.

Note

If you do not specify this command, the CRL
is not accessible from the CDP location,
because this command is required to open an
interface to download the CRL file.

The CDP URL can be configured to use the IP
address of an interface, and the path of the CDP URL
and the filename can also be configured (for example,
http://10.10.10.100/user8/my_crl_file).

In this case, only the interface with that IP address
configured listens for CRL requests, and when a
request comes in, the ASA matches the path,
/user8/my_crl_file to the configured CDP URL.
When the path matches, the ASA returns the stored
CRL file.

Note

The protocol must be HTTP, so the prefix
displayed is http://.