Re: Again: CRLs and IOS routers / PIX

ovt · ‎12-03-2002

Hi!

Long ago, in 1999, somebody pointed out that "selling routers with no CRL

support is like selling a car with no brakes".

Has it been changed since 1999? What do we have now?

We are still waiting for good documentation from cisco, waiting for support

(CCIEs here have no idea of how it works, right?) and still have a lot

of trouble.

Questions:

1. Why is "crl best-effort" (under trustpoint config) not documented? What does

this command do?

2. What is the default for IOS routers: "crl query ldap://", "crl optional",

"crl best-effort" or what? What algorithm is used to retrieve CRLs?

3. What does "crl query ldap://..." really do? Is it used only when X.509v3 CDP

extension not present in the certificate? If yes, why is "crl query http://..."

not accepted by IOS? (We don't run AD, we run Standalone MS CA.)

4. The most important: what config command should I use to make router

automatically download the most current CRL every time a tunnel is

established? I want to check CRLs online. I don't want wait until NextUpdate

date is reached (i.e. 7 days - the default publishing interval + 10% for MS CA).

The "crypto ca crl request ca_name" or rebooting a router are not an option.

IOS 12.2(11)T

Regards,

Oleg Tipisov, CCSI,

Moscow

kdurrett · ‎12-03-2002

Oleg,

1. Good question.

2. The default is crl which means that its required. I do believe it uses SCEP to obtain your crls.

3. The ldap command is used to tell the router where to query for the crl if the location is not in the certificate. In order to do crl checking with microsoft, AD is required to be installed whether locally or on another box. If its local, then the crl location will be in the certificate. If its not, you will need to specify in the router where the crl is contained using the ldap command.

4. Not gonna happen if the router thinks it has the most current crl, then no reason to go check until that crl has expired. Even if you force the router to go check for a new crl, until the Microsoft server publish's a new crl, it will always get the same crl because Microsoft is in charge of that distribution. You can change the default on the server from 7 days to a shorter interval, say 1 hour. You can also force the server to publish a new crl without changing the interval. At that point you can then request the new crl on the router with your ca crl request ca_name. In other words, its not a Cisco configuration issue that you can change.

Kurtis Durrett

ovt · ‎12-03-2002

Thank you for the replay.

1. Yes :)

2. Agreed

3. It seems that AD is *not* required. CRLs work with SCEP over HTTP:

sh cry ca cert

CRL Distribution Point:

http://caserver.red.ru/CertEnroll/REDCA.crl

sh cry ca crls

CRL Issuer Name:

CN = REDCA, OU = Training, O = REDCENTER, L = Moscow, C = RU

LastUpdate: 15:46:23 UTC Dec 3 2002

NextUpdate: 04:06:23 UTC Dec 11 2002

Retrieved from CRL Distribution Point:

http://caserver.red.ru/CertEnroll/REDCA.crl

4.

4.1. "crypto ca crl request" doesn't work. CRL is loaded, but when the tunnel

is cleared and then reestablished it is not used. The only PKI message I see

is:

Dec 3 15:57:47.001: CRYPTO_PKI: Trust-Point myca picked up

Peer's cert has been revoked and the CRL published, but the tunnel is

reestablished successfully. Probably the old CRL is cached somewhere?

Upon rebooting the router and setting the clock everything is ok:

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 172.16.1.1 is bad:

certificate invalid

4.2. It is Cisco config issue. An option to check CRL online is clearly needed.

Otherwise we're driving the car with no brakes.

How and when CA publishes CRL depends on CA software and policy and

should not be discussed here.

Regards,

Oleg Tipisov, CCSI,

Moscow