Answer the question
In order to leave comments, you need to log in
S
S
SmartPony2014-10-07 05:56:58
SmartPony, 2014-10-07 05:56:58
How to get PKI to work with CRL on Cisco?
I can never win. It would seem the simplest config, but it does not work in an absolutely clean lab. Without CRL, everything is fine, but as soon as I turn on the CRL check, it gives 404 in the debug on the client when trying to pick up the CRL and, accordingly, nothing plows.
Server
ip http server
ip http port 8080
ntp master
crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable
crypto pki server MAIN-CA
database url nvram:
issuer-name CN=MAIN-CA.lab.local L=LOC C=RU
lifetime ca-certificate 365
lifetime certificate 365
lifetime crl 1
cdp-url http://198.0.0.1:8080/main-ca.crl
no shutdownCustomer
ntp server 198.0.0.1
crypto key generate rsa general-keys label CLIENT-CA modulus 1024
crypto pki trustpoint CLIENT-CA
enrollment url http://198.0.0.1:8080
revocation-check crl
rsakeypair CLIENT-CA
crypto pki authenticate CLIENT-CA
crypto pki enroll CLIENT-CAOn the server
crypto pki server MAIN-CA grant allAND on the client
crypto pki crl request CLIENT-CAAnd everything, further 404 in debug crypto pki transactions logs.
Share the config you use so you can just copy-paste.
1 answer(s)
@RMavrichev
R
RMavrichev, 2016-02-24 @RMavrichev
It is treated by setting the correct cdp-url, according to this document: www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn...
In short, something like this:
crypto pki server MAIN-CA
!!! add Ctrl-v before "?"
cdp-url http://198.0.0.1:8080/cgi-bin/pkiclient.exe?operation=GetCRL
Similar questions
A
A
C
csergey2014-08-08 15:40:11
Do I need to set a remote network route in IP SEC CISCO Site-to-Site?
1Reply
S
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question