Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3207
Views
0
Helpful
3
Replies

crl request via ldap on c2611

Go to solution
angelo.vandamme
Level 1
Level 1

‎07-06-2004 12:14 AM - edited ‎03-09-2019 07:57 AM

I'm working with certificates on a 2611 router. Everything works great in combination with a CA, except the polling for the revocation list.

My CA publishes the crl to something like:

ldap:///CN=CA-SERVER,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subdomain,DC=domain,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint

In het config of the 2611 router, I have the map 'crypto ca trustpoint CA-SERVER', where I put

crl query ldap://IP ADRES OF CA-SERVER/CN=CA-SERVER,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subdomain,DC=domain,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint

But badly enough, this isn't working. The router doesn't fetch a crl. I think he doesn't even try to make a connection (I don't see ldap traffic on the firewall).

Does anyone know a solution for this problem? Is it maybe possible to fetch the crl over HTTP?

thanx,

Angelo.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-06-2004 11:03 PM

Don't know what version of code you're running, so I'll give you a bit of IOS history.

Prior to IOS 12.1(5) SCEP was used with Microsoft CAs to fetch the CRL. However SCEP is not a very efficient method for fetching CRLs so we added

support to fetch CRLs via ldap and http. IOS determines from the Certificate itself how to fetch the CRL using the CDP. In the certificates

you show, the CDP is shown via LDAP so the router will try and get it using this method (assuming code is later than 12.1(5).

However, the problem you are encountering is due to the "strange" format of the ldap URL in the certificates. Microsoft Enterprise CAs imbed file specifications in the ldap URL by use of multiple CommonNames (CN='s) and the ?xxx construct. IOS does not like imbedding file specifications in URLs at this time.

IOS works fine with CDPs which specify an http URL, or which specify a LDAP URL but not with all the CN stuff. The "query url" in the config is ignored if the certificate contains a CDP with a http:// or ldap:// URL (without all the CN's), however if it contains an LDAP URL in the format you show, then the "query url" command is used. IOS still doesn't understand all the CN's, etc, so specifying a "query url" command with all that is not going to work, as you've seen.

You can change your MS CA server to put a HTTP or LDAP URL directly in the certificate, or make your CRL available on a HTTP server somewhere and then add a "query url" pointing directly to it. Because the router won't understand the LDAP CRL in the cert, it will use the "query url" location you specify and it should work for you.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-06-2004 11:03 PM

Don't know what version of code you're running, so I'll give you a bit of IOS history.

Prior to IOS 12.1(5) SCEP was used with Microsoft CAs to fetch the CRL. However SCEP is not a very efficient method for fetching CRLs so we added

support to fetch CRLs via ldap and http. IOS determines from the Certificate itself how to fetch the CRL using the CDP. In the certificates

you show, the CDP is shown via LDAP so the router will try and get it using this method (assuming code is later than 12.1(5).

However, the problem you are encountering is due to the "strange" format of the ldap URL in the certificates. Microsoft Enterprise CAs imbed file specifications in the ldap URL by use of multiple CommonNames (CN='s) and the ?xxx construct. IOS does not like imbedding file specifications in URLs at this time.

IOS works fine with CDPs which specify an http URL, or which specify a LDAP URL but not with all the CN stuff. The "query url" in the config is ignored if the certificate contains a CDP with a http:// or ldap:// URL (without all the CN's), however if it contains an LDAP URL in the format you show, then the "query url" command is used. IOS still doesn't understand all the CN's, etc, so specifying a "query url" command with all that is not going to work, as you've seen.

You can change your MS CA server to put a HTTP or LDAP URL directly in the certificate, or make your CRL available on a HTTP server somewhere and then add a "query url" pointing directly to it. Because the router won't understand the LDAP CRL in the cert, it will use the "query url" location you specify and it should work for you.

0 Helpful

Go to solution
angelo.vandamme
Level 1
Level 1
In response to gfullage

‎07-07-2004 11:59 AM

Hello,

Thank you very much for your answer!

I'm using a c2611 with the c2600--ik9o3s3-mz.123-9.bin version but in the config I can't enter a query url. When I put something like 'crl query http://xxx' under the 'crypto ca trustpoint CA_server' map, I get always the error message 'url must begin with ldap://'.

How can I configure a query url? My CA is also publishing it's crl to a http location, so in the certificate there is a ldap and http location mentioned, but still it doesn't work.

I hope you can help me out.

Thanks a lot,

Angelo

0 Helpful

Go to solution
angelo.vandamme
Level 1
Level 1
In response to angelo.vandamme

‎07-07-2004 12:28 PM

Ok, everything is working now!

I needed to take care about the DNS name. The certificate gave the right url with an DNS name, but the router didn't know the DNS name.

So, everything is going smoothly now, with the http fetch.

Thanks, your hints were very helpful!

0 Helpful
Top