How to get PKI to work with CRL on Cisco?

S

SmartPony2014-10-07 05:56:58

Cisco

SmartPony, 2014-10-07 05:56:58

I can never win. It would seem the simplest config, but it does not work in an absolutely clean lab. Without CRL, everything is fine, but as soon as I turn on the CRL check, it gives 404 in the debug on the client when trying to pick up the CRL and, accordingly, nothing plows.
Server

ip http server
ip http port 8080
ntp master

crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable

crypto pki server MAIN-CA
 database url nvram:
 issuer-name CN=MAIN-CA.lab.local L=LOC C=RU
 lifetime ca-certificate 365
 lifetime certificate 365
 lifetime crl 1
 cdp-url http://198.0.0.1:8080/main-ca.crl
 no shutdown

Customer

ntp server 198.0.0.1

crypto key generate rsa general-keys label CLIENT-CA modulus 1024

crypto pki trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check crl
 rsakeypair CLIENT-CA

crypto pki authenticate CLIENT-CA
crypto pki enroll CLIENT-CA

On the server
crypto pki server MAIN-CA grant all
AND on the client
crypto pki crl request CLIENT-CA
And everything, further 404 in debug crypto pki transactions logs.
Share the config you use so you can just copy-paste.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

R

RMavrichev, 2016-02-24
@RMavrichev

It is treated by setting the correct cdp-url, according to this document: www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn...
In short, something like this:

crypto pki server MAIN-CA
 !!! add Ctrl-v before "?"
 cdp-url http://198.0.0.1:8080/cgi-bin/pkiclient.exe?operation=GetCRL