Solved: problem with ios certificate server not updating the CRL

marksims · ‎09-28-2011

Hi all,

The background is that i'm currently setting up a DMVPN solution with the ipsec tunnels between the spokes created using certificates.

I'm using a cisco 877 as the CA server (its running 12.4(6)T5) to provide the certificates to the spoke routers. This part is working fine - the spokes can request a certificate and get one issue all well and good.

The problem is on the CA, the CRL lifetime is set to 24 hours but the CA is not updating the CRL so when the spokes look for the revocation list (as set in their trustpoint) they are reporting an error that the CRL is out of date and won't connect.

If is do a '#sh crypto pki server' it lists a 'CRL NextUpdate timer. this has a timestamp that is 24 hours after the last certificate was revocked. The only way i can get the CRL to be re-generated is to revoke a certificate.

So, my question is, have i missed something here? I thought the CA would automatically generat a new CRL file every 24hours.

Can anyone help?

thanks.

Herbert Baerten · ‎10-02-2011

Hi Mark (?)

this seems to match this bug:

CSCsy95838 IOS CA: CRL not updated, update timer no started

However it does not mention if 12.4(6)T5 is affected, only that it was found in 12.4(15)T3 and resolved in 12.4(15)T10 and other more recent releases.

I would suggest trying the latest 12.4(15)Tx, 15.0(1)Mx or 15.1(4)Mx release if you can.

I supposed you've though of it, but just in case: as a workaround you can disable the CRL check on all the DMVPN routers, obviously they will still allow connections from routers with a revoked spoke.

As a (temporary?) replacement for a CRL, you could use a "certificate ACL" with which you can kind of create a "manual local CRL" :

  crypto pki certificate map certACL 10
   serial-number ne 
   serial-number ne 
   etc.

  crypto pki trustpoint myTP

   match certificate certACL

(note the "ne" stands for "not equal" so you are permitting any certificate whose serial number is not listed)

Obviously you would have to configure (and maintain!) this on each router participating in the DMVPN so this is cumbersome, but I suppose if you don't often revoke certs it might be an option.

hth

Herbert

--

If this post answers your question, please click the "Correct Answer" button

View solution in original post

Herbert Baerten · ‎10-02-2011

Hi Mark (?)

this seems to match this bug:

CSCsy95838 IOS CA: CRL not updated, update timer no started

However it does not mention if 12.4(6)T5 is affected, only that it was found in 12.4(15)T3 and resolved in 12.4(15)T10 and other more recent releases.

I would suggest trying the latest 12.4(15)Tx, 15.0(1)Mx or 15.1(4)Mx release if you can.

I supposed you've though of it, but just in case: as a workaround you can disable the CRL check on all the DMVPN routers, obviously they will still allow connections from routers with a revoked spoke.

As a (temporary?) replacement for a CRL, you could use a "certificate ACL" with which you can kind of create a "manual local CRL" :

  crypto pki certificate map certACL 10
   serial-number ne 
   serial-number ne 
   etc.

  crypto pki trustpoint myTP

   match certificate certACL

(note the "ne" stands for "not equal" so you are permitting any certificate whose serial number is not listed)

Obviously you would have to configure (and maintain!) this on each router participating in the DMVPN so this is cumbersome, but I suppose if you don't often revoke certs it might be an option.

hth

Herbert

--

If this post answers your question, please click the "Correct Answer" button

marksims · ‎10-04-2011

Hi Herbert,

thats the ticket! - i ran up another unit with the same ios version and got the same results. i then updated the ios to 12.4(24)T5 and the problem has gone away.

i do like your workaround - better than my 'just ignore the revocation check!'

many thanks!

Mark.