Cisco Systems OL-16647-01 User Manual
CHA PT ER
33
Configuring Certificates
Digital certificates provide digital identification for authentication. A digital certificate contains
information that identifies a device or user, such as the name, serial number, company, department, or IP
address. CAs issue digital certificates in the context of a PKI, which uses public-key/private-key
encryption to ensure security. CAs are trusted authorities that “sign” certificates to verify their
authenticity, thus guaranteeing the identity of the device or user.
For authentication using digital certificates, there must be at least one identity certificate and its issuing
CA certificate on a security appliance, which allows for multiple identities, roots and certificate
hierarchies. There a number of different types of digital certificates listed below:
• A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called
a root certificate; one issued by another CA certificate is called a subordinate certificate. See CA
Certificate Authentication.
• CAs also issue identity certificates, which are the certificates for specific systems or hosts. See
Identity Certificates Authentication.
• Code-signer certificates are special certificates used to create digital signatures to sign code, with
the signed code itself revealing the certificate origin. See Code-Signer Certificates
• The Local Certificate Authority (CA) integrates an independent certificate authority functionality
on the security appliance, deploys certificates, and provides secure revocation checking of issued
certificates. The Local CA provides a secure configurable inhouse authority for certificate
authentication with user enrollment by browser web page login. See Local Certificate Authority,
Manage User Certificates, and Manage User Database.
CA Certificate Authentication
The CA Certificates panel allows you to authenticate self-signed or subordinate CA certificates and to
install them on the security appliance. You can create a new certificate configuration or you can edit an
existing one.
If the certificate you select is configured for manual enrollment, you should obtain the CA certificate
manually and import it here. If the certificate you select is configured for automatic enrollment, the
security appliance uses the SCEP protocol to contact the CA, and then automatically obtains and installs
the certificate.
CA Certificates Fields
• Certificates —Displays a list of the certificates available identified by issued to and by, the date the
certificate expires, and the certificate’s usage or purpose. You can click a certificate in the list and
edit its configuration, or you can add a new certificate to the displayed list.
OL-16647-01
Cisco Security Appliance Command Line Configuration Guide
33-1
CA Certificate Authentication
• Add Button—Add a new certificate configuration to the list. See Add/Install a CA Certificate.
• Edit Button—Modify an existing certificate configuration. See Edit CA Certificate Configuration.
• Show Details Button— Display the details and issuer information for the selected certificate. See
• Request CRL Button—Access the Certificate Revocation List (CRL) for an existing CA certificate.
• Delete Button—Remove the configuration of an existing CA certificate. See Delete a CA
• Apply Button—Save the new or modified CA certificate configuration.
• Reset Button—Remove any edits and return the display to the original contents.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode Security Context
Routed Transparent Single
•••••
Chapter 33 Configuring Certificates
Show CA Certificate Details.
See Request CRL.
Certificate.
Multiple
Context System
Add/Install a CA Certificate
The CA Certificate panel lets you add a new certificate configuration from an existing file, by manually
pasting a certificate, or by automatic enrollment. Click the appropriate option to activate one of the
following:
• Install from a File:—To add a certificate configuration from an existing file, enter the path and file
name, then click Install Certificate. You can type the pathname of the file in the box or you can
click Browse and search for the file. Browse displays the Load CA certificate file dialog box that
lets you navigate to the file containing the certificate.
• Paste certificate in PEM format:—For manual enrollment, copy and paste the PEM format
certificate (base64 or hexadecimal format) into the panel, then click Install Certificate.
• Use SCEP:—For automatic enrollment, the security appliance contacts the CA using Simple
Certificate Enrollment Protocol (SCEP) protocol, obtains the certificates, and installs them on the
device. (SCEP). SCEP is a secure messaging protocol that requires minimal user intervention. SCEP
lets you to enroll and install certificates using only the VPN Concentrator Manager. To use SCEP,
you must enroll with a CA that supports SCEP, and you must enroll via the Internet.
SCEP automatic enrollment requires completion of the following fields:
–
SCEP URL: HTTP:// Enter the path and file name of the certificate to be automatically
installed.
–
Retry Period: Specify the maximum number of minutes to retry installing a certificate.The
default is one minute.
–
Retry Count: Specify the number of retries for installing a certificate. The default is 0, which
indicates unlimited retries within the retry period.
33-2
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
Chapter 33 Configuring Certificates
More Options... —For additional options for new certificates, click the More Options... button to
display configuration options for new and existing certificates. See Configuration Options for CA
Certificates.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode Security Context
Routed Transparent Single
•••••
Edit CA Certificate Configuration
To modify the characteristics of an existing certificate, select the certificate and click the Edit button to
display a number of tab-selectable displays that address CA certificate configuration specifics. For
details, see Configuration Options for CA Certificates.
CA Certificate Authentication
Multiple
Context System
Show CA Certificate Details
The Show Details button displays the Certificate Details dialog box, which shows the following
information about the selected certificate:
• General—Displays the values for type, serial number, status, usage, public key type, CRL
• Issued to— Displays the X.500 fields of the subject DN or certificate owner and their values. This
• Issued by—Displays the X.500 fields of the entity granting the certificate. This applies only to
Request CRL
The Request CRL button updates the current version of the Certificate Revocation List (CRL). CRL
update provides the current status of certificate users. If the request fails, an error message displays.
The CRL is generated and regenerated automatically until it expires; the Request CRL button forces an
immediate CRL file update and regeneration.
Delete a CA Certificate
The Delete button immediately removes the selected CA Certificate configuration from the security
appliance. Once you delete a certificate configuration, it cannot be restored; to recreate the deleted
certificate, you must use the Add button to reenter the certificate configuration information from the
beginning
distribution point, the times within which the certificate is valid, and associated certificates. This
applies to both available and pending status.
applies only to available status.
available status.
OL-16647-01
Note Once you delete a certificate configuration, it cannot be restored.
Cisco Security Appliance Command Line Configuration Guide
33-3
CA Certificate Authentication
Configuration Options for CA Certificates
Additional configuration options are available, whether you are adding a new CA certificate with the
Add button or modifying an existing CA certificate with the Edit button.
The following panels are the tab-selectable displays that address CA certificate configuration specifics.
Each tabbed display is summarized in the following list:
Revocation Check —The Revocation Check panel lets you chose or reject revocation checking, specify
a method of revocation checking (CRL or OCSP) and allows you to ignore revocation-checking errors
when validating a certificate. For details of the Revocation Check panel, see Revocation Check
Configuration.
CRL Retrieval Policy—The CRL Retrieval Policy panel allows you to configure use of the CRL
distribution point and/or static CRL URLs, with capabilities to add, edit, and delete status CRL URLs.
For details, see CRL Retrieval Policy Configuration.
CRL Retrieval Method—The CRL Retrieval Method panel allows you to chose Lightweight Directory
Access Protocol (LDAP), HTTP, or Simple Certificate Enrollment Protocol (SCEP) as the method to be
used for CRL retrieval. For the LDAP method, you can configure the LDAP parameters and security. See
CRL Retrieval Method Configuration.
OCSP Rules—Online Certificate Status Protocol (OCSP) is used for obtaining revocation status of an
X.509 digital certificate and is an alternative to certificate revocation lists (CRL). For details, see OSCP
Rules Configuration. Refer to OCSP Rules Configuration.
Advanced—The Advanced panel allows you to set up CRL update parameters, OCSP parameters, and
certificate acceptance and validation parameters. See Advanced Configuration Options.
Chapter 33 Configuring Certificates
Revocation Check Configuration
With the Revocation Check Edit Option panel, you can specify degrees of user certificate revocation
checking as follows:
No Revocation Checking
- Click the Do not check certificates for revocation button to disable
revocation checking of certificates.
Revocation Checking Method(s)
- Click the Check certificates for revocation to select one or more
revocation checking methods. Available methods display on the left; use the Add button to move a
method to the right.
The methods you select are implemented in the order in which you add them. If a method detects an error,
subsequent revocation checking methods activate.
Revocation Checking Override
- Click the Consider certificate valid if revocation checking returns
errors button to ignore revocation-checking errors.
CRL Retrieval Policy Configuration
With the CRL Retrieval Policy panel, you specify either the CRL Distribution Point, or a static go-to
location for the CRL revocation checking.
• Certificate CRL Distribution Point - Click the Use CRL Distribution Point from the certificate
button to direct revocation checking to the CRL DP included on the certificate being checked.
• Static URL - Click the Use Static URLs configured below button to list specific URLs to be used
for CRL Retrieval. The URLs you select are implemented in the order in which you add them. If a
specified URL errors, subsequent URLs are accessed in order.
33-4
://—Type the location that distributes the CRLs.
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
Chapter 33 Configuring Certificates
CRL Retrieval Method Configuration
The CRL Retrieval Method panel lets you select the method to be used for CRL retrieval.
• Click the Enable Lightweight Directory Access Protocol (LDAP) button to specify LDAP CRL
retrieval. With LDAP, CRL retrieval starts an LDAP session by connecting to a named LDAP server,
accessed by password. The connection is on TCP port 389 by default. Enter the specific LDAP
parameters required:
–
–
–
–
–
• HTTP - Click the Enable HTTP button to select HTTP CRL retrieval
• SCEP - Click the Enable Simple Certificate Enrollment Protocol (SCEP) to se lect SC EP for CRL
retrieval.
OCSP Rules Configuration
The Online Certificate Status Protocol (OCSP) panel lets you configure OCSP rules for obtaining
revocation status of an X.509 digital certificate.
CA Certificate Authentication
Name:
Password:
Confirm Password:
Default Server: (server name)
Default Port: 389 (default)
OCSP Rules Fields
• Certificate Map—Displays the name of the certificate map to match to this OCSP rule. Certificate
maps match user permissions to specific fields in a certificate. You must configure the certificate
map before you configure OCSP rules.
• Certificate—Displays the name of the CA the security appliance uses to validate responder
certificates.
• Index—Displays the priority number for the rule. The security appliance examines OCSP rules in
priority order, and applies the first one that matches.
• URL—Specifies the URL for the OCSP server for this certificate.
• Add—Click to add a new OCSP rule.
• Edit—Click to edit an existing OCSP rule.
• Delete—Click to delete an OCSP rule.
Advanced Configuration Options
The Advanced tab lets you specify CRL and OCSP options. When a certificate is issued, it is valid for
a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example,
due to security concerns or a change of name or association. CAs periodically issue a signed list of
revoked certificates. Enabling revocation checking forces the security appliance to check that the CA has
not revoked the certificate being verified.
The security appliance supports two methods of checking revocation status: CRL and OCSP.
OL-16647-01
Fields
• CRL Options
–
Cache Refresh Time—Specify the number of minutes between cache refreshes. The default
number of minutes is 60. The range is 1-1440.
Cisco Security Appliance Command Line Configuration Guide
33-5
Identity Certificates Authentication
–
• OCSP Options
–
–
Chapter 33 Configuring Certificates
To avoid having to retrieve the same CRL from a CA repeatedly, The security appliance can
store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by
platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL
would exceed its storage limits, the security appliance removes the least recently used CRL until
more space becomes available.
Enforce next CRL update—Require valid CRLs to have a Next Update value that has not
expired. Clearing the box allows valid CRLs with no Next Update value or a Next Update value
that has expired.
Server URL:—Enter the URL for the OCSP server. The security appliance uses OCSP servers
in the following order:
1. OCSP URL in a match certificate override rule
2. OCSP URL configured in this OCSP Options attribute
3. AIA field of remote user certificate
Disable nonce extension—By default the OCSP request includes the nonce extension, which
cryptographically binds requests with responses to avoid replay attacks. It works by matching
the extension in the request to that in the response, ensuring that they are the same. Disable the
nonce extension if the OCSP server you are using sends pre-generated responses that do not
contain this matching nonce extension.
• Vali dati on P oli cy
–
Specify the type of client connections that can be validated by this CA—Click SSL or IPSec
to restrict the type of remote session this CA can be used to validate, or click SSL and IPSec to
let the CA validate both types of sessions.
• Other Options
–
Accept certificates issued by this CA—Specify whether or not the security appliance should
accept certificates from CA Name.
–
Accept certificates issued by the subordinate CAs of this CA
Identity Certificates Authentication
An Identity Certificate can be used to authenticate VPN access through the security appliance. Click the
SSL Settings or the IPsec Connections links on the Identity Certificates panel for additional
configuration information.
The Identity Certificates Authentication panel allows you to:
• Add an Identity Certificate. See Add/Install an Identity Certificate.
• Display details of an Identity Certificate. See Show Identity Certificate Details.
• Delete an existing Identity Certificate. See Delete an Identity Certificate.
• Export an existing Identity Certificate. See Export an Identity Certificate.
33-6
• Install an Identity Certificate. See Installing Identity Certificates.
• Enroll for a certificate with Entrust. See Generate
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
Loading...