Home » Cisco » 300-209 » Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which uses digital certificates for authentication.
Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Correct Answer: D
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
About CRLs
Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint.
You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocation-check crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data.
The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL.