08-11-2011 11:26 PM - edited 03-10-2019 06:18 PM
Hi,
We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:
LastErrorMessage=CRL PKI verification failed
Certificate Revocation list Url=http://crl.download.net/XXXX/deviceCA.crl
We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.
Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?
How I can check which certificate ACS server is using for CRL validation?
/Mikko
08-12-2011 08:57 PM
The crl is used for the eap interface, because crl checking is a necessity to determine which users are still valid and which are revoked. So crl for the management doesnt apply because the management interface authenticates the user via the local admin database.
With regards to your crl url that you added, can you use the ip address that resolves to crl.download.net and try that instead?
Also if you go the ipbased url see if you can type in your browser and see if the crl file actually downloads.
Thanks,
Tarik
08-14-2011 10:44 PM
Tarik,
I think that there is small misunderstanding now.
ACS can download CRL without any problems, but it fails when it tries to validate contents of CRL using PKI. My question was (and still is), which certificates PKI is used for CRL content validation: one used for EAP-TLS or one used management (https)???
I tried to debug this process, but only error message which is related to this problem, is one from SSL informing about PKI failure.
/Mikko
08-15-2011 05:23 AM
Another question:
As ACS is using openssl for CRL validation, do ACS also expect that CRL file is in PEM format (which is default for openssl)??? In my case CA is publishing CRL in DER format, which can cause this problem.
/Mikko
08-15-2011 05:29 AM
P.S. This is actual error message from openssl:
Crypto,12/08/2011,13:28:11:523,ERROR,3006782368,NIL-CONTEXT,Crypto::Result=48, Crypto.SSL.verifyCRL - CRL verification failed - Alleged Issuer CN=XXX Root CA, CRL-CN=XXX Device CA,SSL.cpp:829
Crypto,12/08/2011,13:28:11:523,ERROR,3006782368,NIL-CONTEXT,Crypto::Result=48, CryptoLib.CSSL.addCRL - verification failed.,SSL.cpp:360
08-15-2011 09:39 PM
I am sure we need this file in pem format since openssl is what the ACS uses. Please make the changes to the file and try again.
Thanks,
Tarik
08-15-2011 11:01 PM
Hi,
Converted DER formatted CRL file to PEM - still same error message about PKI Validation failure.
Is there a way to check which CA certificate is used for CRL signature validation??
I'm afraid that ACS is using self-signed certificate, tagged to use with management connection for CRL signature validation, but I need to verify that first before ordering real certificates for all ACS servers.
/Mikko
11-08-2011 12:52 AM
Answering to my own question:
1. CRL is validated against management certificate.
2. CRL must be in PEM format.
/Mikko
04-04-2012 04:23 AM
Hi,
Did you get this problem fixed. I am also facing same situation at moment and serching for solution ta moment.
Regards
Ajay
04-04-2012 10:44 PM
Hi Ajay,
Yes. As ACS has two certificates, one used for web gui and one for authentication (eap-tls), I noticed that management certificate is used for CRL validation, not that one, which is used for EAP-TLS.
This is very poorly documented in ACS manuals and I hope that Cisco improved documentation quality in ISE.
So make sure that management certificate is granted from CA generating CRLs, then it works without problems (EKU has to contain both server and client authentication key usage).
/Mikko
04-05-2012 01:45 AM
But do we have to configure somewhere CRL url's or it should work automatically.
I am using same certificate for mgmt & EAP-TLS purpose. I hope it should not cause any problems.
Regards
Ajay
04-06-2012 11:47 AM
Hi Mikko,
How could we verify that ACS 5.3 checking the CRL list while authenticating the clients. Is there any way to check which CRL is present in ACS 5.3 and does it is being used while authenticating the list.
Anyone if using CRL must be checkign this. Please suggest asap on this.
Regards
Ajay
04-10-2012 12:40 AM
Hi Ajay,
Answer to your both questions:
1. CRL is defined in "Users and Identity Stores"->"Certificate Authorities". As far as I have tested ACS does not read CRL information from certificate.
2. You will see message in ACS log files if CRL download/processing fails.
3. I tested CRL processing with dummy test certificate, which I installed to test PC and tried to access network.
/Mikko
04-15-2012 10:43 PM
Hello Mikko,
one question regarding
"So make sure that management certificate is granted from CA generating CRLs"
Does this mean, that CRL checking should be enabled for the management certificate/CA? (where i cannot see the reason why)
/Karsten
04-15-2012 10:59 PM
No, I think that I put it in wrong way.
When ACS has downloaded CRL from CA (or its frontend), it uses management certificate chain to check validity of downloaded CRL file. So if management certificate and CRL does not share same certificate chain, CRL is ignored and not processed.
CRL checking is needed only defined to CA/certificate used for EAP-TLS authentication (but unfortunately it does not use that information for CRL processing. I hope that this functionality is changed in ISE).
/Mikko
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide