Configuring crls for a trustpoint – Cisco ASA 5505 User Manual

41-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Configuring CRLs for a Trustpoint

To use mandatory or optional CRL checking during certificate authentication, you must configure CRLs
for each trustpoint. To configure CRLs for a trustpoint, perform the following steps:

Step 17

serial-number

Example:

hostname/contexta(config-ca-trustpoint)# serial

number JMX1213L2A7

During enrollment, asks the CA to include the ASA
serial number in the certificate.

Step 18

write memory

Example:

hostname/contexta(config)# write memory

Saves the running configuration.

Command Purpose

Command

Purpose

Step 1

crypto ca trustpoint

trustpoint-name

Example:

hostname (config)# crypto ca trustpoint Main

Enters crypto ca trustpoint configuration mode for
the trustpoint whose CRL configuration you want to
modify.

Note

Make sure that you have enabled CRLs
before entering this command. In addition,
the CRL must be available for authentication
to succeed.

Step 2

crl configure

Example:

hostname (config-ca-trustpoint)# crl configure

Enters crl configuration mode for the current
trustpoint.

Tip

To set all CRL configuration parameters to
default values, use the default command. At
any time during CRL configuration, reenter
this command to restart the procedure.

Step 3

Do one of the following:

policy cdp

Example:

hostname (config-ca-crl)# policy cdp

Configures retrieval policy. CRLs are retrieved only
from the CRL distribution points specified in
authenticated certificates.

Note

SCEP retrieval is not supported by
distribution points specified in certificates.

To continue, go to Step 5.

policy static

Example:

hostname (config-ca-crl)# policy static

Configures retrieval policy. CRLs are retrieved only
from URLs that you configure.

To continue, go to Step 4.