Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
1
Replies

PIX ldap/crl problem

jadvoracek
Level 1
Level 1

‎10-24-2002 09:27 AM - edited ‎02-20-2020 10:19 PM

We are adding certificates to a Cisco Pix 515 with V6.2(2) of the Pix software, the CA we are using is SmartTrust v3.5.10 with WebRA (including the SmartTrust SCEP servlet). Enrollment of the certificate from the SCEP solution works fine, but the Pix can't retrieve the CRL.

The CRL is stored in a Netscape LDAP directory, and the CRL Distribution Point (in short CDP) in the certificate is set to point to the location in the LDAP directory.

We are using the same solution for a Cisco Router 17xx with Cisco IOS v12.2(8)T, which retrieves the CRL from the LDAP directly without problems (using the CDP).

The different LDAP CDP's we have tried are:

ldap://hostname:389/cn=XXX%20CA-02,%20o=Customer%20Networks?certificateRevocationlist?base?objectclass=eidCertificationAuthority

ldap://10.1.1.1:389/cn=XXX%20CA-02,%20o=Customer%20Networks?certificateRevocationlist?base?objectclass=eidCertificationAuthority

Our configuration is:

hostname xxx

domain-name yyy.dk

name 10.1.1.1 vpnca

ca generate rsa key 1024

ca identity vpncaid vpnca:/cgi-bin

ca configure vpncaid ra 1 20 crloptional

ca authenticate vpncaid

ca enrollment vpncaid abcdef

ca save all

The scep address (host:/cgi-bin) is because SmartTrusts implementation of the scep-protocol is implemented as a java servlet where the scep is called as http://host/cgi-bin/pkiclient.exe, and since the scep protocol automatically adds the pkiclient.exe it is not allowed to add this to the configuration (in the Pix, it would actually result in a call to http://host/cgi-bin//pkiclient.exe which not would work !)

The above configuration works fine, but when we will request the CRL the Pix will call the scep-implementation for the CRL (and in our configuration this will not work, since our CRL not will be requested correctly, this because of our configuration and the way the SmartTrust SCEP implementation works), so we would like the Pix to fetch the CRL directly from the LDAP directory.

We found that the "ca identity vpncaid" had the possibility to add the IP address of the LDAP server, but as soon as we add an IP-address here, the Pix doesn't request anything at all when we requests the CRL (using the "ca crl request vpncaid" command) - we used the cool new sniffer in the Pix 6.2 and this didn't register any traffic at all, neither to the SCEP server or to the LDAP directory, so my question is: can the Pix request the CRL directly from the LDAP directory or does it have to use the SCEP server ?

0 Helpful
1 Reply 1

p.krane
Level 3
Level 3

‎10-31-2002 02:01 PM

I don't see any way to configure this without SCEP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card