Answer the question
In order to leave comments, you need to log in
How to get PKI to work with CRL on Cisco?
I can never win. It would seem the simplest config, but it does not work in an absolutely clean lab. Without CRL, everything is fine, but as soon as I turn on the CRL check, it gives 404 in the debug on the client when trying to pick up the CRL and, accordingly, nothing plows.
Server
ip http server
ip http port 8080
ntp master
crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable
crypto pki server MAIN-CA
database url nvram:
issuer-name CN=MAIN-CA.lab.local L=LOC C=RU
lifetime ca-certificate 365
lifetime certificate 365
lifetime crl 1
cdp-url http://198.0.0.1:8080/main-ca.crl
no shutdown
ntp server 198.0.0.1
crypto key generate rsa general-keys label CLIENT-CA modulus 1024
crypto pki trustpoint CLIENT-CA
enrollment url http://198.0.0.1:8080
revocation-check crl
rsakeypair CLIENT-CA
crypto pki authenticate CLIENT-CA
crypto pki enroll CLIENT-CA
crypto pki server MAIN-CA grant all
crypto pki crl request CLIENT-CA
Answer the question
In order to leave comments, you need to log in
It is treated by setting the correct cdp-url, according to this document: www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn...
In short, something like this:
crypto pki server MAIN-CA
!!! add Ctrl-v before "?"
cdp-url http://198.0.0.1:8080/cgi-bin/pkiclient.exe?operation=GetCRL
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question