User's Manual

ManualsBrandsCisco Systems ManualsSecurity CameraCisco Systems CL-28826-01

1121

25-58

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 25 Configuring IKE and IPsec Policies

Understanding Public Key Infrastructure Policies

Revocation Check Support The type of certificate revocation checking to be performed:

• Checking Not Performed—This is the default. The device does not

perform any revocation checking, even if a CRL is on the device.

• CRL Check Required—The device must check a CRL. If no CRL

exists on the device and the device cannot obtain one, certificates

are rejected and a tunnel cannot be established.

• OCSP Check Required—The device must check revocation status

from an OCSP server. If this check fails, certificates are rejected.

• CRL Check Attempted—The device tries to download the latest

CRL from the specified LDAP server. If the download fails,

however, certificates are accepted.

• OCSP Check Attempted—The device tries to check revocation

status from an OCSP server. If this fails, however, certificates are

accepted.

• CRL or OCSP Check Required—The device first checks for a

CRL. If a CRL does not exist or cannot be obtained, the device tries

to check revocation status from an OCSP server. If both options

fail, certificates are rejected.

• OCSP or CRL Check Required—The device first tries to check

revocation status from an OCSP server. If this fails, the device

checks for a CRL. If both options fail, certificates are rejected.

• CRL and OCSP Checks Attempted—The device first checks for a

CRL. If a CRL does not exist or cannot be obtained, the device tries

to check revocation status from an OCSP server. If both options

fail, however, certificates are accepted.

• OCSP and CRL Checks Attempted—The device first tries to check

revocation status from an OCSP server. If this fails, the device tries

to download the latest CRL. If both options fail, however,

certificates are accepted.

OCSP Server URL The URL of the OCSP server checking for revocation if you require

OCSP checks. This URL must start with http://

CRL Server URL The URL of the LDAP server from which the CRL can be downloaded

if you require CRL checks. This URL must start with ldap://

Note You must include a port number in the URL when using this

AAA server on ASA devices, otherwise LDAP will fail.

Enable Registration

Authority Mode (PIX 6.3)

For PIX 6.3 devices, whether the CA server operates in RA

(Registration Authority) mode. A Registration Authority is a server that

acts as a proxy for the actual CA so that CA operations can continue

when the CA server is offline.

Note Cisco IOS routers configure RA mode automatically, if

required.

Table 25-11 PKI Enrollment Dialog Box—CA Information Tab (Continued)

Element Description