Thanks Daniel for this, actually I also had got the

pdf for SSL termination, but it didnt contain the required information, now from the link you

gave, it has the required configuration .

Thanks for your help.

Regds,

Farhan

Hi there,

does any know the right procedure to enable the CRL in one armed mode configuration, I dont have any DNS server to resolve the webserver name where the CRL is kept.

though I can define the http://x.x.x.x/crl.crl, what its not working.

Could any one help, please.

Regds,

Farhan

Could you please provide the configuation you applied to make the ACE download the CRL?

What does the output to the "show crypto crl detail" command tell you?

FYI, you may want to consider upgrading from A3(2.2) to get the fix for:

"CSCsy01905—Some SSL connections may continue to be accepted in the ACE even though the reference CRL, against which the revocation check is to be performed, has been removed. When the signature verification for the CRL fails, the CRL is removed from the ACE because it is considered untrusted. There may be some connections that have been accepted in the ACE prior to enabling signature verification of CRL. The fresh SSL connections with those client certificates continue to be accepted even though the reference CRL against which the revocation checks were performed have been removed as a result of a signature verification failure. "

It was first fixed in A3(2.3). There is also an outstanding defect that is not fixed in the A3 train, but has a workaround. It is however fixed in the new A4 train:

"CSCta74000—The ACE may fail to download a certificate revocation list (CRL). In some cases, the CRL fails to download when it is reapplied to the SSL proxy that is being used in certain VIPs if the previous applications to the SSL proxy had failed to download the same CRL at the point when the CRL server was down. When this situation occurs, the ACE stops downloading the CRL. Workaround: Unconfigure and then reconfigure the CRL again. "

Hi there,  thanks for your help, I upgraded the version to 3.2.6 and its working as expected. However one more question arises here, to refresh the CRL entry from the server after the certain internal like it happens in CSS, that you can configure the interval like:

ssl crl-record crl < crl name>  time

is that possible in ACE 4710 ?

Regds,

Farhan

Any info about the CRL loading timeliness on ACE? any one?

Regds,

Farhan

Hello Farhan,

here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html#wp1173455

are discussed the events that produce a CRL download, basically it is governed by the "Next Update" field present in the CRL itself (on the next client authentication occurring after the last Next Update date has been reached).

Hope it helps,

Francesco