Administrator Guide
Configuring Revocation Behavior
You can configure the system behavior if an OCSP responder fails.
By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the
event. However, you can configure the system to reject the certificate in case OCSP responders fail.
To configure OCSP revocation settings:
In CONFIGURATION mode, enter the following command:
crypto x509 revocation ocsp [accept | reject]
The default behavior is to accept certificates if either an OCSP responder is unavailable or if no responder is identified.
Configuring OSCP responder preference
You can configure the preference or order that the CA or a device follows while contacting multiple OCSP responders.
Enter the following command in Certificate mode:
ocsp-server prefer
Verifying certificates
A CA certificate’s public key is used to decrypt a presented certificate’s signature to obtain a hash value.
The rest of the presented certificate is also hashed and if the two hashes match then the certificate is considered valid.
During verification, the system checks the presented certificates for revocation information. The system also enables you to configure
behavior in case a certificate’s revocation status cannot be verified; for example, when the OCSP responder is unreachable you can alter
system behavior to accept or reject the certificate depending on configuration. The default behavior is to accept the certificates. The
system also logs the events where the OSCP responders fail or invalid OSCP responses are received.
NOTE: A CA certificate can also be revoked.
Verifying Server certificates
Verifying server certificates is mandatory in the TLS protocol.
As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates
against installed CA certificates.
NOTE:
As part of the certificate verification, the hostname or IP address of the server is verified against the hostname
or IP address specified in the application. For example, when using SYSLOG over TLS, the hostname or IP address
specified in the logging syslog-server secure port port-number command is compared against the
SubjectAltName or Common Name field in the server certificate.
Verifying Client Certificates
Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria.
However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed.
Event logging
The system logs the following events:
• A CA certificate is installed or deleted.
• A self-signed certificate and private key are generated.
• An existing host certificate, a private key, or both are deleted.
• A host certificate and private key are installed successfully.
• An installed certificate (host certificate or CA certificate) is within seven days of expiration. This alert is repeated periodically.
• An OCSP request is not answered with an OCSP response.
986
X.509v3