Solved: Cisco ISE CRL

klnnnnng · ‎09-29-2025

Hello,

i am trying to setup CRL on Cisco ISE 3.2, but facing some issues and didn't find good documenation. I have Root -> Intermediate CA structure and was wondering if ISE can read the CRL URL from the ceritificate and fetch it automatiically or I need to explicitly specify it under Trusted Certificates -> Download CRL -> CRL Distribution List.

If I specify CRL Distribution URL for example http://crl.company.com/list.crl can I address it with the IP Address http://10.10.10.13/list.crl or it must be always with the FQDN?

Regards

Arne Bier · ‎09-29-2025

Hi @klnnnnng

I have not dug into this for a while, but when I was debugging the same issue, it seems that ISE is trying to fetch the CRL from the first CDP in the trusted cert - which for Microsoft CA certs tends to be an LDAP URI. Which of course will never work. Therefore, if you want to fetch the CRL for a particular Trusted CA, then you must manually specify the http URL in ISE for that CA cert. I used to run a tcpdump on the PAN and then enabled the CRL, and I could see the http request. If you toggle the "Download CRL" checkbox from off to on, it should trigger a download.

View solution in original post

Arne Bier · ‎09-29-2025

Hi @klnnnnng

I have not dug into this for a while, but when I was debugging the same issue, it seems that ISE is trying to fetch the CRL from the first CDP in the trusted cert - which for Microsoft CA certs tends to be an LDAP URI. Which of course will never work. Therefore, if you want to fetch the CRL for a particular Trusted CA, then you must manually specify the http URL in ISE for that CA cert. I used to run a tcpdump on the PAN and then enabled the CRL, and I could see the http request. If you toggle the "Download CRL" checkbox from off to on, it should trigger a download.