11-33
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
11






Configuring

SSL
Enabling
Client

Authentication
Configuring
CRLs

for

Client

Authentication
You
can

configure

the

ACE

to

scan

for

CRLs

and

retrieve

them.

By

default,

ACE

does

not

use

certificate
revocation
l

ists

(CRLs)

during

client

authentication.

You

can

configure

t

he

SSL

proxy

service

to

use

a
CRL
by

having

the

ACE

scan

each

client

certificate

for

the

service

to

determine

if

it

contains

a

CRL

in
the
extension

and

then

retrieve

the

value,

if

it

exists.

For

more

information

about

SSL

termination

on

the
ACE,
see

either

the

Cisco

Application

Control

Engine

Module

SSL

Configuration

Guide

or

the

Cisco
ACE
4700

Series

Appliance

SSL

Configuration

Guide.
Note
The
ACE

supports

the

creation
of
a
maximum
of

ei

ght

CRLs

for
any
context.
Note
When
you

enable
client
authentication,

a

significant

performance

decrease

may

occur.

Additional
latency
may

occur

when

you

c

onfigure

CRL

retrieval.
Assumption
A
CRL

cannot

be

configured

on

a

n

SSL

proxy

without

first

configuring

an

authorization

group.
Procedure
Step
1
Choose
Config
>

Devices

>

context

>

SSL

>

Certificate

Revocation

Lists

(CRLs).
The
Certificate

Revocation

Lists

(CRLs)

table

appears.
Step
2
In
the
Certificate

Revocation

Lists

(CRLs)

table,
click
Add
to

ad

d

a

CRL,

or

ch

oose

an


existing

CRL
and
cl

ick

Edit

to

modify

it.
The
Certificate

Revocation

Lists

(CRLs)

window

appears.
Step
3
In
the
Certificate

Revocation

Lists

(CRLs)

window,

enter
the
information
in
Ta
b

l

e
11-14
.
Step
4
Do
one

of

the

following:


Click
Deploy
Now

to

deploy
this
configuration

on

t

he
ACE

and

save

your

entries

t

o

the
running-configuration
and

startup-configuration

files.

The

updated

Certificate

Revocation

Lists
(CRLs)
table

appears.


Click
Cancel
to

exit

the

procedure

without

saving

your

entries
and
to

return

to

the

Certificate
Revocation
Lists

(CRLs)

table.


Click
Next
t

o
deploy
your

entries

and

to
add
another

entry

t

o
the
Certificate
Revocation
Lists
(CRLs)
table.
Ta
b

l

e


11-14
SSL
Certificate

Revocation

List
Field
Description
Name
CRL
name.

Valid

entries

ar

e

unquoted

alphanumeric

st

rings

with

a

maximum

of

64

ch

aracters.
URL
URL
where

the

ACE

retrieves

the

CRL.

Valid

entries

are

unquoted

alphanumeric

strings

with

a

maximum
of
255

characters.

Only

HTTP

URLs

are

supported.

ACE

checks

the

URL

and

displays

an

error

if

it

does
not
match.