Managing certificate revocation lists, About certificate revocation lists – Cisco 3.3 User Manual
Page 420
Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup
10-40
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Managing Certificate Revocation Lists
Certificate revocation lists (CRLs) are the means by which Cisco Secure ACS
determines that the certificates employed by users seeking authentication are still
valid, according to the CA that issued them.
This section contains the following topics:
•
About Certificate Revocation Lists, page 10-40
•
Certificate Revocation List Configuration Options, page 10-41
•
Adding a Certificate Revocation List Issuer, page 10-42
•
Editing a Certificate Revocation List Issuer, page 10-44
•
Deleting a Certificate Revocation List Issuer, page 10-44
About Certificate Revocation Lists
When a digital certificate is issued, you generally expect it to remain valid
throughout its predetermined period of validity. However, various circumstances
may call for invalidating the certificate earlier than expected. Such circumstances
might include compromise or suspected compromise of the corresponding private
key, or a change in the CAs issuance program. Under such circumstances, a CRL
provides the mechanism by which the CA revokes the legitimacy of a certificate
and calls for its managed replacement.
Cisco Secure ACS performs certificate revocation using the X.509 CRL profile.
A CRL is a signed and time-stamped data structure issued by a CA (or CRL
issuer) and made freely available in a public repository (for example, in an LDAP
server). Details on the operation of the X.509 CRL profile are contained in
RFC3280.
CRL functionality in Cisco Secure ACS includes the following:
•
Trusted publishers and repositories configuration—In the Cisco Secure
ACS HTML interface, you can view and configure CRL issuers and their
CRL Distribution Points (CDPs) and periods.
•
Retrieval of CRLs from a CDP—Using a transport protocol (LDAP or
HTPP), Cisco Secure ACS is configured to periodically retrieve CRLs for
each CA you configure. These CRLs are stored for use during EAP-TLS
authentication. Note that there is no timestamp mechanism; Cisco Secure
ACS waits for a specified period of time and then automatically downloads