Certificate revocation list configuration options – Cisco 3.3 User Manual

Page 421

Advertising
background image

10-41

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

Cisco Secure ACS Certificate Setup

the CRL. If the new CRL differs from the existing CRL, the new version is
saved and added to the local cache. CRL retrievals appear in the log for the
CSAuth service only when you have configured the level of detail in service
logs to “full”. The status, date, and time of the last retrieval is shown on the
Certificate Revocation List Issuer edit page of the Cisco Secure ACS HTML
interface.

Note

Automatic CRL retrieval scheduling only functions if EAP-TLS is
enabled.

Verification of certificate status—During EAP-TLS authentication,
Cisco Secure ACS checks the certificate presented by the user against the
corresponding CRL issued by the CA of the user’s certificate. If, according to
the CRL currently stored by Cisco Secure ACS, the certificate has been
revoked, authentication fails.

CRL issuers can only be added in association with trusted CAs (that is, CAs on
the CTL). If you install a new server certificate for Cisco Secure ACS, your CTL
is cleared of all trust relationships. While you must reestablish CAs on the CTL,
the associated CRLs that you previously configured remain in place and do not
have to be reconfigured.

Certificate Revocation List Configuration Options

The Certificate Revocation List Issuers edit page contains the following
configuration options:

Name—A name you give this CRL issuer.

Description—A description you give this CRL issuer.

Issuer’s Certificate—The CA certificate to be used when verifying the
issuer’s signature over the CRL data. This list is derived from the contents of
your configured CTL.

CRL Distribution URL—The URL you enter that specifies the URL that
Cisco Secure ACS should use to retrieve the CRL. You can specify a URL
that uses HTTP or LDAP. Be sure you specify a URL for the CRL
corresponding to the CA you selected from the Issuer’s Certificate list.
Alternatively, you could specify the URL for the file itself; but this is only
necessary in the case where the repository URL lists multiple files.

Advertising