Configuring Certificate-Based Authentication - Cisco TelePresence Administrator's Manual

Maintenance
Configuring revocation checking for SIP TLS connections
You must also configure how certificate revocation checking is managed for SIP TLS connections.
1. Go to Configuration >
2. Scroll down to the Certificate revocation checking
Field Description
Certificate Controls whether revocation checking is performed for
revocation certificates exchanged during SIP TLS connection
checking establishment.
mode
Use OCSP Controls whether the Online Certificate Status Protocol
(OCSP) may be used to perform certificate revocation
checking.
Use CRLs Controls whether Certificate Revocation Lists (CRLs)
are used to perform certificate revocation checking.
Allow CRL Controls whether the download of CRLs from the CDP
downloads URIs contained in X.509 certificates is allowed.
from CDPs
Fallback Controls the revocation checking behavior if the
behavior revocation status cannot be established, for example if
the revocation source cannot be contacted.
Treat as revoked: treat the certificate as revoked (and
thus do not allow the TLS connection).
Treat as not revoked: treat the certificate as not
revoked.
Default: Treat as not revoked

Configuring certificate-based authentication

The Certificate-based authentication configuration
Certificate-based authentication
credentials (the username) from a client browser's certificate.
This configuration is required if Client certificate-based security (as defined on the
set to Certificate-based authentication. This setting means that the standard login mechanism is no longer
available and that administrators (and FindMe accounts, if accessed via the VCS) can log in only if they
present a valid browser certificate — typically provided via a smart card (also referred to as a Common
Access Card or CAC) — and the certificate contains appropriate credentials that have a suitable
authorization level.
Cisco VCS Administrator Guide (X8.1.1)
SIP.
configuration) is used to configure how the VCS retrieves authorization
section and configure the settings accordingly:
Usage tips
We recommend that revocation
checking is enabled.
To use OCSP, the X.509 certificate
to be checked must contain an
OCSP responder URI.
CRLs can be used if the certificate
does not support OCSP.
CRLs can be loaded manually
onto the VCS, downloaded
automatically from preconfigured
URIs (see
revocation lists (CRLs)
downloaded automatically from a
CRL distribution point (CDP) URI
contained in the X.509 certificate.
Treat as not revoked ensures that
your system continues to operate
in a normal manner if the
revocation source cannot be
contacted, however it does
potentially mean that revoked
certificates will be accepted.
page (Maintenance > Security certificates >
About security certificates
Managing certificate
[p.288]), or
System page) has been
Page 290 of 507