Configuring CRL Options
This section teaches you how to configure CRL checking on the Cisco ASA. You can configure the Cisco ASA to do any of the following:
- Not require CRL checking
- Optionally accept the peer's certificate if the security appliance is not able to retrieve the CRL
- Require CRL checking
To bypass CRL checking, use the crl nocheck trustpoint subcommand.
Tip
Bypassing CRL checking is insecure and therefore is not recommended.
The crl optional subcommand allows the Cisco ASA to optionally accept its peer's certificate if the required CRL is not available.
Use the crl required subcommand to force the Cisco ASA to perform CRL checking. The CRL server must be reachable and available in order for a peer certificate to be validated. After this command is enabled, you must configure the CRL parameters. To configure the CRL options, use the crl configure trustpoint subcommand. After invoking this command, you will be placed in the ca-crl prompt, as shown in Example 17-13.
Example 17-13. The crl configure Subcommand
Chicago(config)# crypto ca trustpoint CISCO Chicago(ca-trustpoint)# crl required Chicago(ca-trustpoint)# crl configure Chicago(ca-crl)#
Table 17-2 lists all the CRL configuration options.
|
Subcommand |
Description |
|---|---|
|
cache-time |
Used to configure the refresh time (in minutes) for the CRL cache. The range is from 1 to 1440 minutes. The default value is 60 minutes. |
|
default |
Returns all the options to the default value. |
|
enforcenextupdate |
Used to define how to handle the NextUpdate CRL field. If this option is configured, CRLs are required to have a NextUpdate field that has not yet lapsed. |
|
ldap-defaults |
Used to define the default LDAP server and port to use if the distribution point extension of the certificate being checked is missing these values. |
|
ldap-dn |
Used to configure the Login DN and password which defines is used to access the CRL database. |
|
policy |
Used to configure the CRL retrieval policy. The following options are available: both The Cisco ASA use the CRL distribution points from the certificate being checked, or else uses static distribution points. cdp The Cisco ASA uses the CRL distribution points from the certificate being checked. static The Cisco ASA uses statically configured URLs. |
|
protocol |
The protocol used for CRL retrieval. The options are http, ldap, and scep. |
|
url |
A static URL for the site from which CRLs may be retrieved. You can specify up to five URLs. An index value is used to determine the rank of the configured URL. |
Example 17-14 demonstrates how to configure CRL checking and the use of several of the previous options.
Example 17-14. CRL Checking Example
crypto ca trustpoint CISCO crl required enrollment retry count 3 enrollment url http://209.165.202.130:80/certsrv/mscep/mscep.dll fqdn Chicago.securemeinc.com crl configure policy static url 1 ldap://chicago-crl1.securemeinc.com/CRL/CRL.crl url 2 ldap://chicago-crl2.securemeinc.com/CRL/CRL.crl url 3 ldap://chicago-crl3.securemeinc.com/CRL/CRL.crl
In Example 17-14, a Cisco ASA is configured to require CRL checking with the crl required trustpoint subcommand. The Cisco ASA has three CRL servers statically defined. LDAP is used as the transport protocol.
Note
Make sure to configure a domain name server on the Cisco ASA when using FQDN for CRL distribution points. Use the dns name-server ip-address command to specify the domain name server to be used.
The Cisco ASA will first try the CRL server named chicago-crl1.securemeinc.com. Subsequently, it will try chicago-crl2.securemeinc.com and chicago-crl3.securemeinc.com, in that order, as shown in Figure 17-5.
Figure 17-5. CRL Checking Example
You can manually request the retrieval of the CRL by using the crypto ca crl request command. Example 17-15 demonstrates how to manually retrieve the CRL.
Example 17-15. CRL Manual Retrieval
Chicago(config)# crypto ca crl request CISCO CRL received
The CRL is received successfully. To view the CRL, use the show crypto ca crls command, as demonstrated in Example 17-16.
Example 17-16. Output of show crypto ca crls Command
Chicago# show crypto ca crls CRL Issuer Name: cn=SecuremeCAServer,ou=ENGINEERING,o=Secureme,l=Chicago,st=IL,c=US,ea=administrato r@securemeinc.com LastUpdate: 14:18:11 UTC Sep 10 2004 NextUpdate: 02:38:11 UTC Sep 18 2004 Retrieved from CRL Distribution Point: http://chicago-crl1.securemeinc.com/CertEnroll/SecuremeCAServer.crl
The first and second shaded lines in Example 17-16 show when the last CRL update took place and when the next one will be. The third shaded line shows the URL of the CRL distribution point.