About Trustpoints; About Revocation Checking; Certificate Configuration - Cisco 7604 Configuration Manual

Chapter 12 Configuring Certificates

About Trustpoints

Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or
identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an
association with one enrolled identity certificate.
After you have defined a trustpoint, you can reference it by name in commands requiring that you specify
a CA. You can configure many trustpoints.
If an FWSM has multiple trustpoints that share the same CA, only one of these trustpoints sharing the
Note
CA can be used to validate user certificates. To control which trustpoint sharing a CA is used for
validation of user certificates issued by that CA, enter the support-user-cert-validation command.
You can export and import the keypair and issued certificates associated with a trustpoint in PKCS12
format, which is useful if you want to manually duplicate a trustpoint configuration on a different
FWSM.

About Revocation Checking

When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate
before this time period expires; for example, because of security concerns or a change of name or
association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking
forces the FWSM to check that the CA has not revoked a certificate every time it uses that certificate for
authentication.
When you enable revocation checking during the PKI certificate validation process, the FWSM checks
certificate revocation status using either CRL checking, OCSP, or both, with the second method you set
in effect only when the first method returns an error (for example, if the server is unavailable).
With CRL checking, the FWSM retrieves, parses, and caches CRLs, which provide a complete list of
revoked certificates. OCSP offers a more scalable method of checking revocation status because it
localizes certificate status on a Validation Authority, which it queries for the status of a specific
certificate.

Certificate Configuration

This section describes how to configure the FWSM with certificates and other procedures related to
certificate use and management, and includes the following topics:
•
•
•
•
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Preparing for Certificates, page 12-4
Generating Key Pairs, page 12-4
Removing Key Pairs, page 12-5
Establishing AAA Authentication, page 12-5
Verifying Configurations for Specified Settings, page 12-6
Exporting and Importing Keypairs and Certificates, page 12-7
Linking Certificates to a Trustpoint, page 12-9
Configuration Example: Cut-Through-Proxy Authentication, page 12-9
Certificate Configuration
12-3