Manualshelf

Installation guide

ManualsBrandsCisco ManualsComputer equipmentExplorer 4700
351352353354355356357358359360
9-33
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 9 Configuring SSL
Enabling Client Authentication
Step 7 Do the following:
Click Deploy Now to deploy this configuration on the ACE.
Click Cancel to exit the procedure without saving your entries and to return to the Auth Group
Parameters table.
Click Next to deploy your entries and to add another entry to the Auth Group Parameters table.
Step 8 You can repeat the previous step to add more certificates to the auth group or click Deploy Now.
Step 9 After you configure auth group parameters, you can configure the SSL proxy service to use a CRL. See
Configuring CRLs for Client Authentication, page 9-33.
Note When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Related Topics
Configuring SSL Chain Group Parameters, page 9-25
Configuring CRLs for Client Authentication, page 9-33
Configuring CRLs for Client Authentication
By default, ACE does not use certificate revocation lists (CRLs) during client authentication. You can
configure the SSL proxy service to use a CRL by having the ACE scan each client certificate for the
service to determine if it contains a CRL in the extension and then retrieve the value, if it exists. For
more information about SSL termination on the ACE, see the SSL Guide, Cisco ACE Application Control
Engine.
Note The ACE supports the creation of a maximum of eight CRLs for any context.
Note When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Use this procedure to configure ACE to scan for CRLs and retrieve them.
Assumption
A CRL cannot be configured on an SSL proxy without first configuring an auth group.
Procedure
Step 1 Choose Config > Virtual Contexts > context > SSL > Certificate Revocation Lists (CRL). The
Certificate Revocation List table appears.
Step 2 Click Add to add a CRL or select an existing CRL, and then click Edit to modify it. The Certificate
Revocation List screen appears.