EasyManuals Logo

Cisco ISR 4000 series User Manual

Cisco ISR 4000 series
66 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #38 background imageLoading...
Page #38 background image
Cisco ISR 4000 Family Routers Administrator Guidance
Page 38 of 66
Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the
revocation check) that is to be used to ensure that the certificate of a peer has not been revoked. For
multiple methods, the order in which the methods are applied is determined by the order specified
via this command.
If the TOE does not have the applicable CRL and is unable to obtain one, or if the OCSP server
returns an error, the TOE will reject the peer’s certificate--unless an administrator includes the
none keyword in your configuration. If the 'none' keyword is configured, a revocation check will
not be performed and the certificate will always be accepted.
When using OCSP, nonces, unique identifiers for OCSP requests, are sent by default during peer
communications with an OCSP server. The use of nonces offers a more secure and reliable
communication channel between the peer and OCSP server. If the OCSP server does not support
nonces, an authorized administrator may disable the sending of nonces.
4.6.4.6 Manually Overriding the OCSP Server Setting in a Certificate
Administrators can override the OCSP server setting specified in the Authority Information Access
(AIA) field of the client certificate or set by the issuing the ocsp url command. One or more OCSP
servers may be manually specified, either per client certificate or per group of client certificates
by the match certificate override ocsp command. The match certificate override ocsp command
overrides the client certificate AIA field or the ocsp urlcommand setting if a client certificate is
successfully matched to a certificate map during the revocation check
4.6.4.7 Configuring Certificate Chain Validation
Perform this task to configure the processing level for the certificate chain path of peer certificates.
Prerequisites:
The device must be enrolled in your PKI hierarchy.
The appropriate key pair must be associated with the certificate.
1. Enter configure terminal mode:
2. TOE-common-criteria# configure terminal
3. Set the crypto pki trustpoint name:
4. TOE-common-criteria(config)# crypto pki trustpoint ca-sub1
5. Configure the level to which a certificate chain is processed on all certificates including
subordinate CA certificates using the chain-validation [{stop | continue} [parent-
trustpoint]] command:
6. TOE-common-criteria(ca-trustpoint)# chain-validation continue ca-sub1
Use the stop keyword to specify that the certificate is already trusted. This is the
default setting.
Use the continue keyword to specify that the subordinate CA certificate associated
with the trustpoint must be validated.
The parent-trustpoint argument specifies the name of the parent trustpoint the
certificate must be validated against.
Note: A trustpoint associated with the root CA cannot be configured to be validated to the
next level. The chain-validation command is configured with the continue keyword for the

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ISR 4000 series and is the answer not in the manual?

Cisco ISR 4000 series Specifications

General IconGeneral
Routing PerformanceUp to 2 Gbps
Switching CapacityVaries by model
Operating SystemCisco IOS XE
DimensionsVaries by model
WeightVaries by model
SeriesISR 4000
WAN PortsVaries by model
LAN PortsVaries by model
RedundancyYes
TypeModular
Routing ThroughputUp to 2 Gbps
MemoryUp to 16 GB
Modular SlotsVaries by model
Power SupplyAC or DC options
Product FamilyISR (Integrated Services Router)
ModelsISR 4321, ISR 4331, ISR 4351, ISR 4431, ISR 4451-X
StorageSSD options
Network InterfacesGigabit Ethernet, SFP
Security FeaturesFirewall, VPN
Virtualization SupportYes
ModularityYes
Operating Temperature0 to 40°C
Humidity5% to 95% noncondensing

Related product manuals