McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 84

↗ View in doc context
page
84
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::75

Procedure Step 1 From the Cisco Unified OS Administration, choose Security > Certificate Revocation. Step 2 Check the Enable OCSP check box. Step 3 Click the Use OCSP URI from Certificate option if the certificate is configured with an OCSP responder URI. OR Step 4 Click Use Configured OCSP URI option if you want to specify an OCSP responder for OCSP checks. Step 5 Enter the OCSP Configured URI of the responder. Step 6 Check the Enable Revocation Check check box to enable a revocation check. Step 7 Enter a frequency to check for revocation status and click the time interval from Hours or Days. Step 8 Check the Enable CRL check box. Step 9 Enter the CRL Distribution Point URI from where the CRL File has to be downloaded. Important From Release 15SU3 onwards, you can configure up to five distribution point URI settings to support multiple CRL file downloads (1 per Certificate Authority). Step 10 Click Save. Note A popup alerts you to restart a list of Cisco Services and enable real-time OCSP. The popup appears only when you check the Enable OCSP check box or save the subsequent changes. The OCSP Responder returns one of the following statuses based on the validations and when the Common Criteria mode is ON. • Good— indicates that the OCSP responder sends a positive response to the status inquiry. The certificate isn't revoked but doesn't mean that the certificate was ever issued or the response time is within the validity interval of the certificate. Response extensions convey more claims made by the responder on the certificate status such as issuance, validity, and so on. • Revoked— indicates that the certificate is in revoked (on hold) status either permanently or temporarily. • Unknown— indicates that the OCSP responder doesn't know about the requested certificate. Warning When you enable Common Criteria mode, the connection fails in Revoked and Unknown cases. When you disable Common Criteria mode, the connection succeeds in Unknown case. Step 11 (Optional) If you have CTI, IPsec or LDAP links, you must also complete these steps in addition to the above steps to enable OCSP revocation support for those long uninterrupted connections: a) From Cisco Unified CM Administration, choose System > Enterprise Parameters. b) Navigate to Certificate Revocation and Expiry pane. c) Set the Certificate Validity Check parameter to Enabled. d) Enter a value for the Validity Check Frequency parameter. Note Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 66 Basic System Security Certificate Revocation Configuration