Cisco ASA 5505 Configuration Manual page 741

Chapter 35 Configuring Digital Certificates
Configuring OCSP Rules
The adaptive security appliance examines OCSP rules in priority order, and applies the first one that
matches. X.509 digital certificates are an alternative to using CRLs.
Note Make sure that you have configured a certificate map before you try to add OCSP rules. If a certificate
map has not been configured, an error message appears. To configure a certificate map, choose
Configuration > Network (Client) Access, Advanced > IPSec > Certificate to Connection Profile
Maps > Rules > Add.
To configure OCSP rules for obtaining revocation status of an X.509 digital certificate, perform the
following steps:
In the Configuration Options for CA Certificates pane, click the OCSP Rules tab.
Step 1
Choose the certificate map to match to this OCSP rule. Certificate maps match user permissions to
Step 2
specific fields in a certificate. The name of the CA that the adaptive security appliance uses to validate
responder certificates appears in the Certificate field. The priority number for the rule appears in the
Index field. The URL of the OCSP server for this certificate appears in the URL field.
To add a new OCSP rule, click Add.
Step 3
The Add OCSP Rule dialog box appears.
Choose the certificate map to use from the drop-down list.
Step 4
Choose the certificate to use from the drop-down list.
Step 5
Enter the priority number for the rule.
Step 6
Enter the URL of the OCSP server for this certificate.
Step 7
When you are done, click OK to close this dialog box.
Step 8
The newly added OCSP rule appears in the list.
Step 9 To edit an existing OCSP rule, select it, and then click Edit.
Step 10 To delete an OCSP rule, select it, and then click Delete.
Click OK to close this tab. Alternatively, to continue, see the
Step 11
Settings" section on page
Configuring Advanced CRL and OCSP Settings
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate
before this time period expires; for example, because of security concerns or a change of name or
association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking
forces the adaptive security appliance to check that the CA has not revoked the certificate being verified.
The adaptive security appliance supports two methods of checking revocation status: CRL and OCSP.
To configure additional CRL and OCSP settings, perform the following steps:
Step 1 In the Configuration Options for CA Certificates pane, click the Advanced tab.
OL-20339-01
35-13.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring CA Certificate Authentication
"Configuring Advanced CRL and OCSP
35-13