Concept Guide
Verifying Server certicates
Verifying server certicates is mandatory in the TLS protocol.
As a result, all TLS-enabled applications require certicate verication, including Syslog servers. The system checks the Server certicates
against installed CA certicates.
NOTE: As part of the certicate verication, the hostname or IP address of the server is veried against the hostname or IP
address specied in the application. For example, when using SYSLOG over TLS, the hostname or IP address specied in the
logging syslog-server secure port port-number command is compared against the SubjectAltName or Common
Name eld in the server certicate.
Verifying Client Certicates
Verifying client certicates is optional in the TLS protocol and is not explicitly required by Common Criteria.
However, TLS-protected Syslog and RADIUS protocols mandate that certicate-based mutual authentication be performed.
Event logging
The system logs the following events:
• A CA certicate is installed or deleted.
• A self-signed certicate and private key are generated.
• An existing host certicate, a private key, or both are deleted.
• A host certicate is installed successfully.
• An installed certicate (host certicate or CA certicate) is within seven days of expiration. This alert is repeated periodically.
• An OCSP request is not answered with an OCSP response.
• A secure session negotiation fails due to invalid, expired, or revoked certicate.
1106
X.509v3