Details

Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised.

When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.

Solution

Configure the ASA to not accept certificates that have been revoked.

Revocation checking using CRL example:

ASA1(config)# crypto ca trustpoint CA_X
ASA1(config-ca-trustpoint)# revocation-check crl
ASA1(config-ca-crl)# end

Revocation checking using OCSP example:

ASA1(config)# crypto ca trustpoint CA_X
ASA1(config-ca-trustpoint)# revocation-check ocsp
ASA1(config-ca-crl)# end

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.

References

• 800-53|CM-6b.
• CAT|I
• CCI|CCI-000366
• Rule-ID|SV-239950r666256_rule
• STIG-ID|CASA-VN-000130
• Vuln-ID|V-239950

Source

• Tenable.com/audits