To associate a certificate-based access control list (ACL) that is defined with the crypto ca certificate map command, use the match certificate command in ca-trustpoint configuration mode. To remove the association, use the no form of this command.
match certificate certificate-map-label [allow expired-certificate | skip revocation-check | skip authorization-check]
no match certificate certificate-map-label [allow expired-certificate | skip revocation-check | skip authorization-check]
Syntax Description
certificate-map-label
|
Matches the label argument specified in a previously defined crypto ca certificate map command.
|
allow
expired-certificate
|
(Optional) Ignores expired certificates.
Note
|
If this keyword is not configured, the router does not ignore expired certificates.
|
|
skip
revocation-check
|
(Optional) Allows a trustpoint to enforce certificate revocation lists (CRLs) except for specific certificates.
Note
|
If this keyword is not configured, the trustpoint enforces CRLs for all certificates.
|
|
skip
authorization-check
|
(Optional) Skips the authentication, authorization, and accounting (AAA) check of a certificate when public key infrastructure
(PKI) integration with an AAA server is configured.
Note
|
If this keyword is not configured and PKI integration with an AAA server is configured, the AAA checking of a certificate
is done.
|
|
Command Default
If this command is not configured, no default match certificate is configured. Each of the allow expired-certificate , skip revocation-check , and skip authorization-check keywords have a default (see the “Syntax Description” section).
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.3(4)T
|
The allow expired-certificate , skip revocation-check , and skip authorization-check keywords were added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
Usage Guidelines
The match certificate command associates the certificate-based ACL defined with the crypto ca certificate map command to the trustpoint. The certificate-map-label argument in the match certificate command must match the label argument specified in a previously defined crypto ca certificate map command.
The certificate map with the label certificate-map-label must be defined before it can be used with the match certificate subcommand.
A certificate referenced in a match certificate command may not be deleted until all references to the certificate map are removed from configured trustpoints (that is,
no match certificate commands can reference the certificate map being deleted).
When the certificate of a peer has been verified, the certificate-based ACL as specified by the certificate map is checked.
If the certificate of the peer matches the certificate ACL, or a certificate map is not associated with the trustpoint used
to verify the certificate of the peer, the certificate of the peer is considered valid.
If the certificate map does not have any attributes defined, the certificate is rejected.
Using the allow expired-certificate Keyword
The allow expired-certificate keyword has two purposes:
-
If the certificate of a peer has expired, this keyword may be used to “allow” the expired certificate until the peer is able
to obtain a new certificate.
-
If your router clock has not yet been set to the correct time, the certificate of a peer will appear to be not yet valid until
the clock is set. This keyword may be used to allow the certificate of the peer even though your router clock is not set.
Note |
If Network Time Protocol (NTP) is available only via the IPSec connection (usually via the hub in a hub-and-spoke configuration),
the router clock can never be set. The tunnel to the hub cannot be “brought up” because the certificate of the hub is not
yet valid.
|
-
“Expired” is a generic term for a certificate that is expired or that is not yet valid. The certificate has a start and end
time. An expired certificate, for purposes of the ACL, is one for which the current time of the router is outside the start
and end time specified in the certificate.
Using the skip revocation-check Keyword
The type of enforcement provided using the skip revocation-check keyword is most useful in a hub-and-spoke configuration in which you also want to allow direct spoke-to-spoke connections.
In pure hub-and-spoke configurations, all spokes connect only to the hub, so CRL checking is necessary only on the hub. If
one spoke communicates directly with another spoke, the CRLs must be checked. However, if the trustpoint is configured to
require CRLs, the connection to the hub to retrieve the CRL usually cannot be made because the CRL is available only via the
connection hub.
Using the skip authorization-check Keyword
If the communication with an AAA server is protected with a certificate, and you want to skip the AAA check of the certificate,
use the skip authorization-check keyword. For example, if a Virtual Private Network (VPN) tunnel is configured so that all AAA traffic goes over that tunnel,
and the tunnel is protected with a certificate, you can use the skip authorization-check keyword to skip the certificate check so that the tunnel can be established.
The skip authorization-check keyword should be configured after PKI integration with an AAA server is configured.
Examples
The following example shows a certificate-based ACL with the label “Group” defined in a crypto ca certificate map command and included in the match certificate command:
crypto ca certificate map Group 10
subject-name co ou=WAN
subject-name co o=Cisco
!
crypto ca trustpoint pki
match certificate Group
The following example shows a configuration for a central site using the allow expired-certificate keyword. The router at a branch site has an expired certificate named “branch1” and has to establish a tunnel to the central
site to renew its certificate.
crypto pki trustpoint VPN-GW
enrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dll
serial-number none
fqdn none
ip-address none
subject-name o=Home Office Inc,cn=Central VPN Gateway
revocation-check crl
match certificate branch1 allow expired-certificate
The following example shows a branch office configuration using the skip revocation-check keyword. The trustpoint is being allowed to enforce CRLs except for “central-site” certificates.
crypto pki trustpoint home-office
enrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dll
serial-number none
fqdn none
ip-address none
subject-name o=Home Office Inc,cn=Branch 1
revocation-check crl
match certificate central-site skip revocation-check
The following example shows a branch office configuration using the skip authorization-check keyword. The trustpoint is being allowed to skip AAA checking for the central site.
crypto pki trustpoint home-office
auth list allow_list
auth user subj commonname
match certificate central-site skip authorization-check