Configuring A Crl Record - Cisco 11503 - CSS Content Services Switch Configuration Manual

Chapter 4 Configuring SSL Termination

Configuring a CRL Record

Note
OL-5655-01
After you enable client authentication, you can assign the CA certificates to the
virtual SSL server through the ssl-server number cacert command. For example,
to specify the mycert1 CA certificate association to the virtual SSL server, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 cacert mycert1
To remove a certificate association from the virtual SSL server, use the no form
of the ssl-server number cacert command. For example, to remove the mycert1
CA certificate association, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 cacert mycert1
When a CA revokes a certificate, the CA places the certificate on a certificate
revocation list (CRL) and publishes it for public availability. For the CSS to use a
CRL, it must obtain the CRL from its current location and download it via HTTP.
To do so, you must create a CRL record on the CSS. The CRL record contains the
complete URL information for the CSS to obtain the CRL from its current
location and import it periodically. After you configure the CRL record, you can
assign it to the virtual SSL server.
The HTTP request to retrieve the CRL has a source IP address that is the VIP
address of the virtual SSL server.
You can assign one to a virtual SSL server, however you can configure the CSS to
store up to 10 CRL records. To configure the CRL record, use the ssl crl-record
command in global configuration mode. The syntax for the command is:
ssl crl-record crl_name url sign_cert hours
The variables are:
crl_name - The name for the CRL record. Enter a string with a maximum of
•
31 characters and no spaces.
url - The URL where the CRL is located. Enter a string with a maximum of
•
168 characters and no spaces (for example,
http://www.example.com/crl/clientcert.crl).
Configuring Virtual SSL Servers for an SSL Proxy List
Cisco Content Services Switch SSL Configuration Guide
4-17