Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- Other Security Subjects
- Re: Cisco ASA Unable to parse CRL
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
1311
Views
0
Helpful
2
Replies
Cisco ASA Unable to parse CRL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2024 05:42 AM - edited 08-07-2024 05:43 AM
Hi.
I am trying to setup CRL on ASA 9.20 on Cisco Firepower 1010 but when trying to request crl I get "Unable to parse CRL".
I tried PEM and DER, always the same.
debug crypto ca 14 gives:
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:189
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_policy_query, pki_ossl_policy.c:620
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[12]: do_get_crl, pki_ossl_revocation.c:85
PKI[9]: starting CRL FSM #0
PKI[11]: drive_fsm, pki_ossl_revocation.c:33
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_InitTransaction
PKI[12]: get_cdps, pki_crl_fsm_act.c:202
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_crypto_build_crldp_list, pki_ossl_crl_cache.c:326
PKI[12]: getCrldpOverride, pki_ossl_crl_cache.c:259
PKI[7]: Attempting to find CRL DP override for peer cert: serial number: 1000, subject name: CN=Testlab Intermediate CA,O=Testlab,ST=xxx,C=XX, issuer_name: CN=Testlab Root CA,O=Testlab,L=XXX,ST=xxx,C=XX.
PKI[7]: Processing map rules for DefaultCertificateMap.
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[7]: Processing map DefaultCertificateMap sequence 10...
PKI[7]: Match of subject-name attr field to map PASSED. Peer cert field: o = Testlab, map rule: subject-name attr o eq testlab.
PKI[7]: Peer cert has been authorized by map: DefaultCertificateMap sequence: 10.
PKI[7]: Found CRL DP override match. Override URL: http://testlab.local/intermediate.crl.pem, Override trustpoint: ASDM-OF4
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[7]: Trustpoint: ASDM-OF4, Override URL: http://testlab.local/intermediate.crl.pem, CDP URL Type: 1, allowed: 1
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[13]: add_to_list, pki_ossl_crl_cache.c:197
PKI[13]: add_node_to_list, pki_ossl_crl_cache.c:170
PKI[7]: Processing map rules for DefaultCertificateMap.
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[7]: Processing map DefaultCertificateMap sequence 10...
PKI[7]: Match of subject-name attr field to map PASSED. Peer cert field: o = Testlab, map rule: subject-name attr o eq testlab.
PKI[7]: Peer cert has been authorized by map: DefaultCertificateMap sequence: 10.
PKI[7]: Found CRL DP override match. Override URL: http://testlab.local/intermediate.crl.der, Override trustpoint: ASDM-OF4
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[7]: Trustpoint: ASDM-OF4, Override URL: http://testlab.local/intermediate.crl.der, CDP URL Type: 1, allowed: 1
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[13]: add_to_list, pki_ossl_crl_cache.c:197
PKI[13]: add_node_to_list, pki_ossl_crl_cache.c:170
PKI[7]: cdp: (len=53, type=URI, prot=HTTP) http://testlab.local/intermediate.crl.pem
PKI[7]: cdp: (len=53, type=URI, prot=HTTP) http://testlab.local/intermediate.crl.der
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_InitTransaction, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_NextCDP
PKI[12]: crldl_cdp_blacklisted, pki_ossl_crl.c:831
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: CDP blacklist time has elapsed
PKI[12]: crldp_remove_pending_download, pki_ossl_crl.c:798
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_NextCDP, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Request
PKI[13]: crldp_download_pending, pki_ossl_crl.c:641
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[8]: session 0x10e7a773 adding pending CRL entry for cert 0
PKI[12]: crldp_add_pending_download, pki_ossl_crl.c:660
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: retrieve_crl, pki_crl_fsm_act.c:233
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[7]: CDP type HTTP
PKI[7]: getting http://testlab.local/intermediate.crl.pem
PKI[12]: pki_ossl_crl_build_http_io, pki_ossl_crl.c:469
PKI[13]: pki_parse_uri, pki_ossl_uri.c:75
PKI[14]: pki_uri_map_protocol, pki_ossl_uri.c:17
PKI[14]: pki_uri_get_port, pki_ossl_uri.c:34
PKI[13]: pki_free_uri, pki_ossl_uri.c:57
PKI[11]: pki_crl_request_send_async, pki_ossl_crl.c:78
PKI[8]: [15] IOCB allocated
PKI[7]: PKI CRL I/O request queue result: IO_STATUS_QUEUED
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Request, Return status: 0
PKI[8]: [15] Received IO request msg
PKI[8]: [15] DNS resolve issued for testlab.local
PKI[7]: [15] DNS resolve testlab.local (xxx.xxx.xxx.xxx)
PKI[8]: [15] Socket open success
PKI[8]: [15] IPv4 Route lookup to xxx.xxx.xxx.xxx use interface outside
PKI[8]: [15] Connect sent to xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy
PKI[12]: pki_io_cbfunc_log_revocation_check, pki_ossl_revocation.c:421
PKI[7]: 6717056: Attempting CRL revocation check from outside:yyy.yyy.yyy.yyy/60720 to xxx.xxx.xxx.xxx/80 using HTTP.
PKI[8]: [15] Received Socket transmit ready msg
PKI[10]:
----- Begin Data Type:HTTP Request [15]
Length: 70 -----
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | GET /intermed
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | iate.crl.pem HTT
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | P/1.0..Host: tes
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | tlab.local.
aa aa aa aa aa aa | ......
PKI[10]: ----- End Data Type:HTTP Request [15]
Length: 70 -----
PKI[8]: [15] Sent 70 bytes
PKI[8]: [15] Received Socket read ready msg
PKI[8]: [15] read 480 bytes
PKI[8]: [15] No data to read
PKI[8]: [15] Received Socket read ready msg
PKI[8]: [15] Read EOF
PKI[12]: pki_io_cbfunc, pki_crl_fsm_act.c:59
PKI[7]: Callback received for vcid: 0, sess_id: 0x10e7a773, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 480
PKI[13]: get_fsm_data, pki_ossl_revocation.c:446
PKI[7]: [15] IOCB freed
PKI[13]: CERT_API_QueueFSMEvent, vpn3k_cert_api.c:89
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2509
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2407
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2342
PKI[8]: process msg cmd=2, session=0x10e7a773
PKI[9]: Async locked for session 0x10e7a773
PKI[11]: pki_notify_fsm_evt, pki_ossl_revocation.c:56
PKI[11]: drive_fsm, pki_ossl_revocation.c:33
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_ProcessResp
PKI[13]: pki_ossl_util_find_http_payload, pki_ossl_utils.c:36
PKI[8]: Received CRL of length 238 for session 0x10e7a773, cert idx 0
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_crl_add_to_cache, pki_ossl_crl_cache.c:1166
PKI[12]: pki_ossl_crypto_verify_and_insert_crl, pki_ossl_crl_cache.c:1115
PKI[12]: pki_ossl_insert_der_crl_int, pki_ossl_crl_cache.c:1013
PKI[4]: Unable to parse CRL
PKI[4]: Unable to cache CRL
PKI[4]: Unable to cache CRL
PKI[12]: crldl_notify_result, pki_ossl_crl.c:761
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: crl is being blacklisted
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_ProcessResp, Return status: 2
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_NextCDP
PKI[12]: crldl_cdp_blacklisted, pki_ossl_crl.c:831
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: CDP blacklist time has elapsed
PKI[12]: crldp_remove_pending_download, pki_ossl_crl.c:798
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_NextCDP, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Request
PKI[13]: crldp_download_pending, pki_ossl_crl.c:641
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[8]: session 0x10e7a773 adding pending CRL entry for cert 0
PKI[12]: crldp_add_pending_download, pki_ossl_crl.c:660
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: retrieve_crl, pki_crl_fsm_act.c:233
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[7]: CDP type HTTP
PKI[7]: getting http://testlab.local/intermediate.crl.der
PKI[12]: pki_ossl_crl_build_http_io, pki_ossl_crl.c:469
PKI[13]: pki_parse_uri, pki_ossl_uri.c:75
PKI[14]: pki_uri_map_protocol, pki_ossl_uri.c:17
PKI[14]: pki_uri_get_port, pki_ossl_uri.c:34
PKI[13]: pki_free_uri, pki_ossl_uri.c:57
PKI[11]: pki_crl_request_send_async, pki_ossl_crl.c:78
PKI[8]: [16] IOCB allocated
PKI[7]: PKI CRL I/O request queue result: IO_STATUS_QUEUED
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Request, Return status: 0
PKI[9]: Async unlocked for session 0x10e7a773
PKI[8]: [16] Received IO request msg
PKI[8]: [16] DNS resolve issued for testlab.local
PKI[9]: CERT API thread sleeps!
PKI[8]: No IOCB found for SOCKET CLOSE message, handle 0xbac2d4e
PKI[7]: [16] DNS resolve stlab.local (xxx.xxx.xxx.xxx)
PKI[8]: [16] Socket open success
PKI[8]: [16] IPv4 Route lookup to xxx.xxx.xxx.xxx use interface outside
PKI[8]: [16] Connect sent to xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy
PKI[12]: pki_io_cbfunc_log_revocation_check, pki_ossl_revocation.c:421
PKI[7]: 6717056: Attempting CRL revocation check from outside:yyy.yyy.yyy.yyy/48354 to xxx.xxx.xxx.xxx/80 using HTTP.
PKI[8]: [16] Received Socket transmit ready msg
PKI[10]:
----- Begin Data Type:HTTP Request [16]
Length: 70 -----
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | GET /intermed
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | iate.crl.pem HTT
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | P/1.0..Host: tes
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa | tlab.local.
aa aa aa aa aa aa | ......
PKI[10]: ----- End Data Type:HTTP Request [16]
Length: 70 -----
PKI[8]: [16] Sent 70 bytes
PKI[8]: [16] Received Socket read ready msg
PKI[8]: [16] read 480 bytes
PKI[8]: [16] No data to read
PKI[8]: [16] Received Socket read ready msg
PKI[8]: [16] Read EOF
PKI[12]: pki_io_cbfunc, pki_crl_fsm_act.c:59
PKI[7]: Callback received for vcid: 0, sess_id: 0x10e7a773, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 480
PKI[13]: get_fsm_data, pki_ossl_revocation.c:446
PKI[7]: [16] IOCB freed
PKI[13]: CERT_API_QueueFSMEvent, vpn3k_cert_api.c:89
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2509
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2407
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2342
PKI[8]: process msg cmd=2, session=0x10e7a773
PKI[9]: Async locked for session 0x10e7a773
PKI[11]: pki_notify_fsm_evt, pki_ossl_revocation.c:56
PKI[11]: drive_fsm, pki_ossl_revocation.c:33
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_ProcessResp
PKI[13]: pki_ossl_util_find_http_payload, pki_ossl_utils.c:36
PKI[8]: Received CRL of length 238 for session 0x10e7a773, cert idx 0
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_crl_add_to_cache, pki_ossl_crl_cache.c:1166
PKI[12]: pki_ossl_crypto_verify_and_insert_crl, pki_ossl_crl_cache.c:1115
PKI[12]: pki_ossl_insert_der_crl_int, pki_ossl_crl_cache.c:1013
PKI[4]: Unable to parse CRL
PKI[4]: Unable to cache CRL
PKI[4]: Unable to cache CRL
PKI[12]: crldl_notify_result, pki_ossl_crl.c:761
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: crl is being blacklisted
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_ProcessResp, Return status: 2
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_NextCDP
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_NextCDP, Return status: 1
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Error
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Error, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Callback
PKI[7]: session 283617139 and cert_idx 0 rev_status 7
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Callback, Return status: 0
PKI[9]: Async unlocked for session 0x10e7a773
PKI[9]: CRL download status 7
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:250
PKI[13]: free_fsm_data, pki_ossl_revocation.c:225
PKI[13]: ocsp_free_fsmdata, pki_ossl_ocsp.c:1447
PKI[9]: CERT API thread sleeps!
PKI[8]: No IOCB found for SOCKET CLOSE message, handle 0x1176caa
My local CA is setup according to this guide: https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html
What can I do to make it work?
Labels:
- Labels:
-
Other Security Topics
2 Replies 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2024 07:54 PM
I will have to check that guide out.. the "how to" of PKI for some of the Cisco stuff is brutal. Cisco usually has the BEST docs.. but I stumbled on your post because I came across the same error. I am day 2 of putting it all together, so I just assumed I have the wrong something somewhere and was about to start all over again.
I am using XCA as my PKI. I had been testing with .der exports and thought it was time to start trying .crl and see if THAT made any difference
No clue if it was just the thirtieth time I tested, or if I really did "bump" something else, but I have my .der file NAMED ac.crl. I don't know why I tried that.. and it worked.
CDP: http://10.240.10.9/crl/ac.crl. <-but that was exported from my CA in the XCA program as a .der file. If I put the "ac.crl" I export from XCA, it doesn't work. There is no way that is the answer to your problem.. but if it is, I can eat this hat.
Good luck!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2024 11:22 PM
Thank you for your reply but I won't be able to test that - Cisco was discarded from project.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents