(Optional) Defines the level of certificate revocation list (CRL) checking for
HTTPS connections:
• relaxed—Certificates found on a CRL may be used to allow HTTPS
authentication, depending on the reason for the certificateʼs listing; a
warning message is logged whenever this occurs. Essentially disables
CRL checking.
• strict—Connection authentication fails for any certificate on a CRL; a
warning message is logged whenever this occurs. Also, the CRL must be
up to date.
crl-mode {relaxed|strict}
(Optional) Specifies the name of the RSA keyring to be used for HTTPS
connections.
keyring keyring_name
(Optional) Specifies the port to be used for HTTPS connections; can be 1 to
65535. Default is 443.
port port_number
Command Default
The default HTTPS authentication configuration on the Firepower 4100/9300 chassis is credential-based.
The default Cipher Suite security level is medium strength.
Command Modes
Services mode
Command History
ModificationRelease
Command added.1.1(1)
Usage Guidelines
If certificate authentication is enabled, that is the only form of authentication permitted for HTTPS.
The following requirements must be met by the client certificate to use this feature:
• The user name must be included in the X509 attribute Subject Alternative Name email.
• The client certificate must be signed by a root CA which has had its certificate imported into a trustpoint
on the supervisor.
When you commit most of these configuration parameters (specifically keyring, port, cipher-suite, and custom
cipher-suite-mode), all current HTTP and HTTPS sessions are closed without user warning.
Caution
Example
This example shows how to enable certificate-based authentication for HTTPS access:
FP9300-A# scope system
FP9300-A /system # scope services
FP9300-A /system/services # set https auth-type cert-auth
FP9300-A /system/services* # commit-buffer
FP9300-A /system/services #
Cisco Firepower 4100/9300 FXOS Command Reference
193
S Commands
set https
To Next Page
Loading...
Need help?
General