About Trustpoints - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 39 Configuring Certificates

About Trustpoints

Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or
identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an
association with one enrolled identity certificate.
After you have defined a trustpoint, you can reference it by name in commands requiring that you specify
a CA. You can configure many trustpoints.
If a security appliance has multiple trustpoints that share the same CA, only one of these trustpoints
Note
sharing the CA can be used to validate user certificates. Use the support-user-cert-validation command
to control which trustpoint sharing a CA is used for validation of user certificates issued by that CA.
For automatic enrollment, a trustpoint must be configured with an enrollment URL and the CA that the
trustpoint represents must be available on the network and must support SCEP.
You can export and import the keypair and issued certificates associated with a trustpoint in PKCS12
format. This is useful if you wish to manually duplicate a trustpoint configuration on a different security
appliance.
About Revocation Checking
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate
before this time period expires; for example, due to security concerns or a change of name or association.
CAs periodically issue a signed list of revoked certificates. Enabling revocation checking forces the
security appliance to check that the CA has not revoked a certificate every time it uses that certificate
for authentication.
When you enable revocation checking, during the PKI certificate validation process the security
appliance checks certificate revocation status. It can use either CRL checking or Online Certificate
Status Protocol or both, with the second method you set in effect only when the first method returns an
error, for example, that the server is unavailable.
With CRL checking, the security appliance retrieves, parses, and caches Certificate Revocation Lists,
which provide a complete list of revoked certificates. OCSP offers a more scalable method of checking
revocation status in that it localizes certificate status on a Validation Authority, which it queries for the
status of a specific certificate.
About CRLs
Certificate Revocation Lists provide the security appliance with one means of determining whether a
certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a
part of the configuration of a trustpoint.
You can configure the security appliance to make CRL checks mandatory when authenticating a
certificate (revocation-check crl command). You can also make the CRL check optional by adding the
none argument (revocation-check crl none command), which allows the certificate authentication to
succeed when the CA is unavailable to provide updated CRL data.
The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for
each trustpoint are cached for a length of time configurable for each trustpoint.
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Public Key Cryptography
39-3