cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2110
Views
0
Helpful
2
Replies

What is the website category for certificate revocation lists?

keithsauer507
Level 5
Level 5

We have some kiosks running SiteKiosk software that are heavily locked down to our website.  They are in a restricted internet group with website whitelisting.  Our website is secure because we are an FI and it allows people in our branches to go online and check their online banking account and print out statements, etc... basically a self serve station.

Issue we have is we get constant popups about unable to check certificate revocation lists.  In S170 web appliance we looked up one of these Kiosk terminal IP addresses and sure enough we see a lot of crl type sites from MANY companies blocked due to web category - restricted internet.  Is there an easy way to just allow all CRL checks through the Ironport WSA appliance?

1 Accepted Solution

Accepted Solutions

Handy Putra
Cisco Employee
Cisco Employee

If you have HTTPS proxy enable, there is a section called OCSP (Online Certificate Status Protocol) that has option to either drop, decrypt or monitor for Revoked Certificate as the OCSP result.

Another way to allow all CRL is to create a custom URL category with regular expression of \.crl$ and set it to allow and bypass authentication (in case having issue with authentication request from the WSA)

View solution in original post

2 Replies 2

Handy Putra
Cisco Employee
Cisco Employee

If you have HTTPS proxy enable, there is a section called OCSP (Online Certificate Status Protocol) that has option to either drop, decrypt or monitor for Revoked Certificate as the OCSP result.

Another way to allow all CRL is to create a custom URL category with regular expression of \.crl$ and set it to allow and bypass authentication (in case having issue with authentication request from the WSA)

Wow thanks, and I was unaware of the use of regular expressions in URL categories!