https://community.cisco.com/t5/network-security/pix-ldap-crl-problem/m-p/34656#M626539 <HTML><HEAD></HEAD><BODY><P>I don't see any way to configure this without SCEP.</P></BODY></HTML> Thu, 31 Oct 2002 22:01:03 GMT p.krane 2002-10-31T22:01:03Z https://community.cisco.com/t5/network-security/pix-ldap-crl-problem/m-p/34655#M626483 <P>We are adding certificates to a Cisco Pix 515 with V6.2(2) of the Pix software, the CA we are using is SmartTrust v3.5.10 with WebRA (including the SmartTrust SCEP servlet). Enrollment of the certificate from the SCEP solution works fine, but the Pix can't retrieve the CRL.</P><P></P><P></P><P>The CRL is stored in a Netscape LDAP directory, and the CRL Distribution Point (in short CDP) in the certificate is set to point to the location in the LDAP directory.</P><P> </P><P></P><P>We are using the same solution for a Cisco Router 17xx with Cisco IOS v12.2(8)T, which retrieves the CRL from the LDAP directly without problems (using the CDP).</P><P> </P><P></P><P>The different LDAP CDP's we have tried are:</P><P> </P><P></P><P>ldap://hostname:389/cn=XXX%20CA-02,%20o=Customer%20Networks?certificateRevocationlist?base?objectclass=eidCertificationAuthority</P><P> </P><P></P><P>ldap://10.1.1.1:389/cn=XXX%20CA-02,%20o=Customer%20Networks?certificateRevocationlist?base?objectclass=eidCertificationAuthority</P><P> </P><P></P><P>Our configuration is:</P><P> </P><P></P><P>hostname xxx</P><P>domain-name yyy.dk</P><P>name 10.1.1.1 vpnca</P><P>ca generate rsa key 1024</P><P>ca identity vpncaid vpnca:/cgi-bin</P><P>ca configure vpncaid ra 1 20 crloptional</P><P>ca authenticate vpncaid</P><P>ca enrollment vpncaid abcdef</P><P>ca save all</P><P> </P><P></P><P>The scep address (host:/cgi-bin) is because SmartTrusts implementation of the scep-protocol is implemented as a java servlet where the scep is called as <A class="jive-link-custom" href="http://host/cgi-bin/pkiclient.exe" target="_blank">http://host/cgi-bin/pkiclient.exe</A>, and since the scep protocol automatically adds the pkiclient.exe it is not allowed to add this to the configuration (in the Pix, it would actually result in a call to <A class="jive-link-custom" href="http://host/cgi-bin//pkiclient.exe" target="_blank">http://host/cgi-bin//pkiclient.exe</A> which not would work !)</P><P> </P><P></P><P>The above configuration works fine, but when we will request the CRL the Pix will call the scep-implementation for the CRL (and in our configuration this will not work, since our CRL not will be requested correctly, this because of our configuration and the way the SmartTrust SCEP implementation works), so we would like the Pix to fetch the CRL directly from the LDAP directory.</P><P></P><P> </P><P>We found that the "ca identity vpncaid" had the possibility to add the IP address of the LDAP server, but as soon as we add an IP-address here, the Pix doesn't request anything at all when we requests the CRL (using the "ca crl request vpncaid" command) - we used the cool new sniffer in the Pix 6.2 and this didn't register any traffic at all, neither to the SCEP server or to the LDAP directory, so my question is: can the Pix request the CRL directly from the LDAP directory or does it have to use the SCEP server ?</P><P></P> Fri, 21 Feb 2020 06:19:43 GMT https://community.cisco.com/t5/network-security/pix-ldap-crl-problem/m-p/34655#M626483 jadvoracek 2020-02-21T06:19:43Z https://community.cisco.com/t5/network-security/pix-ldap-crl-problem/m-p/34656#M626539 <HTML><HEAD></HEAD><BODY><P>I don't see any way to configure this without SCEP.</P></BODY></HTML> Thu, 31 Oct 2002 22:01:03 GMT https://community.cisco.com/t5/network-security/pix-ldap-crl-problem/m-p/34656#M626539 p.krane 2002-10-31T22:01:03Z