35-14
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 35 Configuring Digital Certificates
Configuring Identity Certificates Authentication
Step 2 In the CRL Options area, enter the number of minutes between cache refreshes. The default is 60
minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly,
the adaptive security appliance can store retrieved CRLs locally, which is called CRL caching. The CRL
cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly
retrieved CRL would exceed its storage limits, the adaptive security appliance removes the least recently
used CRL until more space becomes available.
Step 3 Check the Enforce next CRL update check box to require valid CRLs to have a Next Update value that
has not expired. Uncheck the Enforce next CRL update check box to let valid CRLs with no Next
Update value or a Next Update value that has expired.
Step 4 In the OCSP Options area, enter the URL for the OCSP server. The adaptive security appliance uses
OCSP servers according to the following order:
1. OCSP URL in a match certificate override rule
2. OCSP URL configured in the selected OCSP Options attribute
3. AIA field of a remote user certificate
Step 5 By default, the Disable nonce extension check box is checked, which cryptographically binds requests
with responses to avoid replay attacks. This process works by matching the extension in the request to
that in the response, ensuring that they are the same. Uncheck the Disable nonce extension check box
if the OCSP server you are using sends pregenerated responses that do not include this matching nonce
extension.
Step 6 In the Validation Policy area, choose one of the following options:
• Click the SSL radio button or the IPSec radio button to restrict the type of remote session that this
CA can be used to validate.
• Click the SSL and IPSec radio button to let the CA validate both types of sessions.
Step 7 In the Other Options area, choose one of the following options:
• Check the Accept certificates issued by this CA check box to indicate that the adaptive security
appliance should accept certificates from the specified CA.
• Check the Accept certificates issued by the subordinate CAs of this CA check box to indicate
that the adaptive security appliance should accept certificates from the subordinate CA.
Step 8 Click OK to close this tab, and then click Apply to save your configuration changes.
What to Do Next
See the “Configuring Identity Certificates Authentication” section on page 35-14.
Configuring Identity Certificates Authentication
An identity certificate can be used to authenticate VPN access through the adaptive security appliance.
In the Identity Certificates Authentication pane, you can perform the following tasks:
• Add or import a new identity certificate.
• Display details of an identity certificate.
• Delete an existing identity certificate.
• Export an existing identity certificate.
To Next Page
Loading...
Need help?
General
