Configuring revocation checking for SIP TLS connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
1. Go to Configuration > SIP.
2. Scroll down to the Certificate revocation checking section and configure the settings accordingly:
Field Description Usage tips
Certificate
revocation
checking
mode
Controls whether revocation checking is performed for
certificates exchanged during SIP TLS connection
establishment.
We recommend that revocation
checking is enabled.
Use OCSP Controls whether the Online Certificate Status Protocol
(OCSP) may be used to perform certificate revocation
checking.
To use OCSP, the X.509 certificate
to be checked must contain an
OCSP responder URI.
Use CRLs Controls whether Certificate Revocation Lists (CRLs)
are used to perform certificate revocation checking.
CRLs can be used if the certificate
does not support OCSP.
CRLs can be loaded manually
onto the VCS, downloaded
automatically from preconfigured
URIs (see Managing certificate
revocation lists (CRLs) [p.288]), or
downloaded automatically from a
CRL distribution point (CDP) URI
contained in the X.509 certificate.
Allow CRL
downloads
from CDPs
Controls whether the download of CRLs from the CDP
URIs contained in X.509 certificates is allowed.
Fallback
behavior
Controls the revocation checking behavior if the
revocation status cannot be established, for example if
the revocation source cannot be contacted.
Treat as revoked: treat the certificate as revoked (and
thus do not allow the TLS connection).
Treat as not revoked: treat the certificate as not
revoked.
Default: Treat as not revoked
Treat as not revoked ensures that
your system continues to operate
in a normal manner if the
revocation source cannot be
contacted, however it does
potentially mean that revoked
certificates will be accepted.
Configuring certificate-based authentication
The Certificate-based authentication configuration page (Maintenance > Security certificates >
Certificate-based authentication configuration) is used to configure how the VCS retrieves authorization
credentials (the username) from a client browser's certificate.
This configuration is required if Client certificate-based security (as defined on the System page) has been
set to Certificate-based authentication. This setting means that the standard login mechanism is no longer
available and that administrators (and FindMe accounts, if accessed via the VCS) can log in only if they
present a valid browser certificate — typically provided via a smart card (also referred to as a Common
Access Card or CAC) — and the certificate contains appropriate credentials that have a suitable
authorization level.
Cisco VCS Administrator Guide (X8.1.1) Page 290 of 507
Maintenance
About security certificates