Require Valid Audit Log Server Certificates

The system supports validating audit log server certificates using imported CRLs in Distinguished Encoding Rules (DER) format.

Note	If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both audit log server certificates and certificates used to secure the HTTP connection between an appliance and a web browser.

Important

You cannot perform this procedure on the standby Cisco Defense Orchestrator in a high availablity pair.

Before you begin

Understand the ramifications of requiring mutual authentication and of using certificate revocation lists (CRLs) to ensure that certificates are still valid.
Obtain and import the client certificate following the steps in Securely Stream Audit Logs and the topics referenced in that procedure.

Step 1

On the CDO, choose System ( system gear icon ) > Configuration.

Step 2

Click Audit Log Certificate.

Step 3

To use Transport Layer Security to securely stream the audit log to an external server, choose Enable TLS.

Step 4

If you want to accept server certificates without verification (not recommended):

Step 5

To verify the certificate of the audit log server, choose Enable Mutual Authentication.

Step 6

(If you enabled mutual authentication) To automatically recognize certificates that are no longer valid:

Select Enable Fetching of CRL.

Note

Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs.
Enter a valid URL to an existing CRL file and click Add CRL.

Repeat to add up to 25 CRLs.
Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.

Step 7

Verify that you have a valid server certificate generated by the same certificate authority that created the client certificate.

Step 8

Click Save.

(Optional) Set the frequency of CRL updates. See Configuring Certificate Revocation List Downloads.